Closed Bug 1757297 Opened 4 years ago Closed 2 years ago

HTTPS-Only exceptions are ignored when set with https:// scheme

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 99
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
117 Branch
Tracking Flags:
Tracking Status
firefox117 --- fixed

People

(Reporter: alanhdu, Assigned: maltejur)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(3 files, 1 obsolete file)

Peek 2022-02-26 22-06.gif
495.63 KB, image/gif
Details
Trouble Shooting Information
33.61 KB, application/json
Details
Bug 1757297: Only work with http scheme for HTTPS-Only exceptions r?freddyb
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0

Steps to reproduce:

  1. Go to a Columbia University webpage (e.g. https://www.columbia.edu/~mh2078/MonteCarlo/MCS_Var_Red_Advanced.pdf)
  2. Click the lock button disable HTTPS-only mode
  3. Try to go to the http URL

When I visit a Columbia University webpage, I always get redirected to HTTPS which Columbia does not support.

https://www.columbia.edu/~mh2078/MonteCarlo/MCS_Var_Red_Advanced.pdf

Actual results:

No matter what I do, I am always redirected to the https URL, which Columbia does not support (leading to an "Object Not Found" server error). For the life of me I cannot figure out why I'm being redirected to HTTPS in the first place.

Expected results:

After I turn off the HTTPS-only mode, I should stop getting automatically redirected to the HTTP version.

Oh -- I should mention that this is in Firefox Troubleshooting mode, so I have no addons / extensions that would explain this behavior either.

The Bugbug bot thinks this bug should belong to the 'Core::Networking: HTTP' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Networking: HTTP
Product: Firefox → Core

FWIW, I can't reproduce this locally.
See the attached file in comment #2, it looks like the pref dom.security.https_only_mode is still true.
Could you go to about:config and check if dom.security.https_only_mode is really false?
Thanks.

Component: Networking: HTTP → DOM: Security
Flags: needinfo?(alanhdu)

Could you go to about:config and check if dom.security.https_only_mode is really false?

Interesting. Yes, if I turn this setting to False, then the bug does not appear. So it looks like the bug is specifically about how exceptions to HTTPS-only mode are handled -- if I set that setting to true but then add an exception for the website (I can do this by either the "Manage Exceptions" page in about:preferences#privacy or by clicking on the lock icon in the URL bar and turning HTTPS-only mode to off for this website), then the exception does not seem to get registered.

Of course, I could totally believe I did something wrong with trying to make an exception for HTTPS-only mode here.

Flags: needinfo?(alanhdu)

The severity field is not set for this bug.
:ckerschb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(ckerschb)
Blocks: https-only-mode
Severity: -- → S4
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Status: UNCONFIRMED → NEW
Ever confirmed: true

The problem here seems to be that the the exception is only set for https:// www.columbia.edu, since that is the site we are on when setting the exception. But when checking for potential HTTPS-Only exemptions, we are currently checking if http:// www.columbia.edu is excepted.

Possible solutions I see here:

  1. Always set the exceptions in the identity pane for http, even if the current site is https.
  2. When checking the exemptions, look for both http and https.
  3. Save the exemption permissions without the scheme entirely (not sure if that is even possible).
Assignee: nobody → mjurgens
Status: NEW → ASSIGNED
Summary: Cannot turn off https redirect → HTTPS-Only exemptions are ignored when set with https:// scheme
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]
Duplicate of this bug: 1714661
Attachment #9342309 - Attachment description: WIP: Bug 1757297: Only work with http scheme for HTTPS-Only exemptions r?freddyb → WIP: Bug 1757297: Only work with http scheme for HTTPS-Only exceptions r?freddyb
Attachment #9342309 - Attachment description: WIP: Bug 1757297: Only work with http scheme for HTTPS-Only exceptions r?freddyb → Bug 1757297: Only work with http scheme for HTTPS-Only exceptions r?freddyb
Summary: HTTPS-Only exemptions are ignored when set with https:// scheme → HTTPS-Only exceptions are ignored when set with https:// scheme

The severity field for this bug is set to S4. However, the following bug duplicate has higher severity:

:mjurgens, could you consider increasing the severity of this bug to S3?

For more information, please visit BugBot documentation.

Flags: needinfo?(mjurgens)
Severity: S4 → S3
Flags: needinfo?(mjurgens)
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b3106416eb72 Only work with http scheme for HTTPS-Only exceptions r=freddyb,settings-reviewers,Gijs

https://hg.mozilla.org/mozilla-central/rev/b3106416eb72

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox117: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: