HTTPS-only mode no longer works as it did before Firefox 91
Categories
(Core :: Networking, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | verified |
| firefox91 | --- | wontfix |
| firefox92 | --- | verified |
| firefox93 | --- | verified |
People
(Reporter: u690345, Assigned: kershaw)
References
(Regression, )
Details
(Keywords: regression, reproducible, Whiteboard: [necko-triaged])
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Steps to reproduce:
Activate "Enable HTTPS-Only Mode in all windows" in privacy settings.
I'm not using Private Browsing mode. This also happens with a fresh profile.
Behavior with Firefox 91.0
1.) Visit https://www.msi.com/Motherboard/MPG-Z590-CARBON-EK-X
2.) Click on "Support" in the upper right corner
3.) Firefox shows a warning that the website does not use HTTPS
1.) Visit https://www.nvidia.com/Download/index.aspx?lang=en-us
2.) Select any driver (the preselected options are sufficient)
3.) Firefox shows a warning that the website does not use HTTPS
Behavior with Firefox 90.0.2:
1.) Visit https://www.msi.com/Motherboard/MPG-Z590-CARBON-EK-X
2.) Click on "Support" in the upper right corner
3.) The website with the latest driver is displayed without warning
1.) Visit https://www.nvidia.com/Download/index.aspx?lang=en-us
2.) Select any driver (the preselected options are sufficient)
3.) The website with the latest driver is displayed without warning
If "dom.security.https_only_mode_break_upgrade_downgrade_endless_loop" is set to "false" in about:config, this warning no longer occurs in Firefox 91.0.
Actual results:
Since Firefox 91, there is a warning on both websites that HTTPS is not available.
Expected results:
There should be no warning.
If you click on "Continue to HTTP Site", you will be redirected to the corresponding website with HTTPS.
If you change the URL in the address bar on the warning page from "http://" to "https://", the website also loads without problems.
These warnings exist only since Firefox 91.0. In the previous version this problem did not exist and obviously a https variant exists.
|
||
Comment 1•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
(In reply to Acursen from comment #0)
Behavior with Firefox 91.0
1.) Visit https://www.msi.com/Motherboard/MPG-Z590-CARBON-EK-X
2.) Click on "Support" in the upper right corner
3.) Firefox shows a warning that the website does not use HTTPS
In Firefox 91+:
- Left click on "Support" => warning shown.
- Middle click on "Support" => warning shown.
- Right click on "Support", select any of the
Open Link in New YYY=> warning shown. - Copy the "Support" link, i.e. http://www.msi.com/Motherboard/support/MPG-Z590-CARBON-EK-X, open a blank new tab, paste the link and press enter => no warnings.
Same with OP, warning is not shown in all cases by setting dom.security.https_only_mode_break_upgrade_downgrade_endless_loop to false.
Notes
In https://www.msi.com/Motherboard/MPG-Z590-CARBON-EK-X, clicking "Support" will eventually reach https://www.msi.com/Motherboard/support/MPG-Z590-CARBON-EK-X even if HTTPS-Only Mode is disabled.
Regression
Last good Nightly: 2021-06-24
First bad Nightly: 2021-06-25
pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9b2ffc8e850587f349301559d397a384ef5c7508&tochange=b9a82200b994f1d8c24f4cc2881b01f245c82757
Bisecting autoland builds:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b626c01bd196a9a7d3d20810319f5140aa04e21e&tochange=60d705792e3a71df76d57f1de7a2e44756bbfe3d
This is regressed by bug 1716069.
|
Assignee | |
Comment 4•4 years ago
|
||
This is regressed by removing user gesture check in bug 1716069.
I think the correct solution is only checking if it's user gesture when the redirect chain is empty.
In a summary:
- When the redirect chain is empty, this is the first load. We should check if this is triggered by user gesture.
- When the redirect chain is not empty, we should not check user gesture, since this channel is created due to redirection.
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 5•4 years ago
|
||
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
|
|
||
Comment 8•4 years ago
|
||
The patch landed in nightly and beta is affected.
:kershaw, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 9•4 years ago
|
||
Comment on attachment 9236012 [details]
Bug 1725026 - Check if the load is triggered by a user gesture only when redirect chain is empty, r=ckerschb
Beta/Release Uplift Approval Request
- User impact if declined: When HTTPS-only mode is enabled, we could show the warning page wrongly when users click a
httplink from ahttpspage. - Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: N/A
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch is straightforward and is covered by an automated test.
- String changes made/needed: N/A
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Because this patch is easy and I think it's worth to uplift it to make sure HTTPS-only mode works as before.
- User impact if declined: When HTTPS-only mode is enabled, we could show the warning page wrongly when users click a
httplink from ahttpspage. - Fix Landed on Version: 93
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch is straightforward and is covered by an automated test.
- String or UUID changes made by this patch: N/A
|
||
Comment 10•4 years ago
|
||
Comment on attachment 9236012 [details]
Bug 1725026 - Check if the load is triggered by a user gesture only when redirect chain is empty, r=ckerschb
Approved for 92.0b5 and 91.1esr.
|
|
||
Comment 11•4 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 12•4 years ago
|
||
| bugherder uplift | ||
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 13•4 years ago
|
||
Reproduced the initial issue using old Nightly build from 2021-06-25, verified that having HTTPS-Only Mode enabled and using the steps from comment 1 and 2 the issue does not reproduce anymore across platforms (Windows 10 64bit, macOS 11.5 and Ubuntu 18.04) using the following builds: Latest Nightly 93.0a1, Beta 92.0b6 and latest esr91 from treeherder.
Description
•