Closed Bug 1726955 Opened 3 years ago Closed 3 years ago

Firefox incorrectly says that secure connection not available when HTTPS-only is enabled in private windows

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 91
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: kozlovr+bmo, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

  1. Go to Settings > Privacy & Security and ensure "Enable HTTPS-Only Mode in private windows only" is selected.
  2. Open a new private window.
  3. Go to https://jsfiddle.net/ocwrbn36/2/
  4. In the "Result" area (bottom right) open both links ("same domain" and "other domain") in a new tab, either by wheel-clicking or by right-clicking and selecting "open link in new tab".

Additional details:

The fiddle contains just two links, http://fiddle.jshell.net/robots.txt and http://httpbin.org/ (both sites currently support http and https and don't redirect from http to https).
This can probably also be reproduced if you open this bug page instead of the fiddle and click on this http link: http://bugzilla.mozilla.org/ (I hope bugzilla doesn't replace it with https).

I can reproduce this in a fresh profile (after changing only the setting from step 1).

I think I started noticing this in Firefox 91, so it might be related to HTTPS-first in private windows.

Actual results:

"other domain" link opens correctly (using https).
"same domain" link shows HTTPS-Only Mode Alert "Secure Connection Not Available", despite the fact that the site supports https. Now if you hit Enter in the address bar then https version of the page successfully opens.

Expected results:

Both links open correctly (using https).

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Bugzilla uses the HSTS feature and redirects http:// requests to https:// which will get cached when you open this page to click on the http: link. It's not at all a good test for this.

I can reproduce your problem in Firefox 91: when middle-clicking http://fiddle.jshell.net/robots.txt I get the error page rather than an upgrade to https:, and middle-clicking http://httpbin.org/ with https-first or https-only mode on works as expected.

This sounds like some of the bugs we've been fixing and I can't reproduce it in Firefox 92 Beta so we may well have fixed this case already. If you would like to try our Beta you can download it from https://www.mozilla.org/en-US/firefox/channel/desktop/#beta Otherwise we will be shipping Firefox 92 on September 7 if you'd rather wait.

Blocks: https-only-mode
Status: UNCONFIRMED → NEW
Ever confirmed: true

Please do let us know if that solves the problem for you. If it doesn't we'll have to figure out how your case is different than the ones we fixed.

I should note that by default our pre-release builds create their own clean profile. When you load the first time it won't have your history or bookmarks and so on, but don't worry! Your data will all be right where you left it when you switch back to regular Firefox. This is to protect your data in case the pre-release versions have bugs. [There are ways to migrate your data, but we recommend against it unless you decide to permanently switch to using Beta.]

Flags: needinfo?(kozlovr+bmo)

I've tried Firefox 92.0b9 and this is indeed fixed, thanks. So should I close this as a duplicate?

Flags: needinfo?(kozlovr+bmo)

While testing Beta, I found a similar case that is not yet fixed: if instead of middle-clicking the link we add an onclick handler that uses window.open() then the "same domain" link opens a new tab which says "Secure Connection Not Available" (see https://jsfiddle.net/xmcofeu7/).
Is this a feature or a bug? (not sure because window.open() is not a regular type of workflow)

window.open() should be upgraded like everything else when https-first or https-only modes are turned on. I couldn't reproduce comment 6 in 92 Beta 9 or in 93.

When you get the "Secure Connection Not Available" message were there any relevant warnings or error messages in the web console (part of DevTools, gives page-related messages) or in the "Browser Console" (general Firefox logging)? Does it work as expected in the latest Beta (Firefox 92 will be released tomorrow)?

Flags: needinfo?(kozlovr+bmo)

OK, I've checked this in Beta 93.0b3 - does not reproduce (everything opens using https, as expected).
Therefore probably not important, but I still can reproduce comment 6 in Firefox 92 (release version), and there are no new/relevant messages in the dev console or in the browser console.

Flags: needinfo?(kozlovr+bmo)

We should open a separate bug on the window.open() case if you're still experiencing that

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.