Closed Bug 1803583 Opened 2 years ago Closed 2 years ago

"This address is restricted" functionality should be improved

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Version:
Firefox 107
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 85601

People

(Reporter: riccardo.kyogre, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0

Steps to reproduce:

Visited localhost:6666

Actual results:

Got a page with "This address is restricted" on it

Expected results:

One of the following:

  • The website should have opened
    The site should have opened without this "security feature" getting in my way

  • The "This address is restricted" page should have been shown, with a manual override option
    A button to override the restriction should have been present. It seems kind of absurd that you can easily bypass an invalid TLS certificate but not a "restricted port"

Additional comments:

  • The suggested solution is to add the port to a whitelist in about:config. This is not a great solution for people who just know what they're doing - I just want a flag to get this "security feature" out of my way
  • The "Try again" button on the page doesn't appear to me to make any sense. When pressed, it just brings me to my extension-provided new tab page
  • When adding ports to the whitelist in about:config, restricted ports become accessible without a browser restart; when removing ports, they become restricted again only after a restart. Since it's supposed to be a security feature, it should be either consistent, or work the opposite way (i.e. be slower at un-restricting things than restricting things)

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Component: Security: PSM → Security
Product: Core → Firefox
Status: UNCONFIRMED → NEW
Ever confirmed: true

We are certainly not going to remove port blocking. It's in the Fetch Standard and browsers are compatible with that standard and each other.

When adding ports to the whitelist in about:config, restricted ports become accessible without a browser restart; when removing ports, they become restricted again only after a restart. Since it's supposed to be a security feature, it should be either consistent, or work the opposite way (i.e. be slower at un-restricting things than restricting things)

It's a security feature, but not one that's intended to be changed in mid-flight, or at all except by a very small handful of people with legacy configurations. The override list was an "escape hatch" and wasn't expected to be changed after an initial configuration. Chrome makes the "restart required" aspect more explicit: their equivalent functionality requires a --explicitly-allowed-ports=XXX command line argument.

Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 85601
Resolution: --- → DUPLICATE
See Also: → 85601
Summary: "This address is restricted" functionality should be removed or improved → "This address is restricted" functionality should be improved
You need to log in before you can comment on or make changes to this bug.