[schoolgateway.westminster.org.uk] "requested service is temporarily unavailable" message in HTTPS-only mode
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: pgking47, Unassigned)
References
(Blocks 1 open bug, )
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Steps to reproduce:
With HTTPS-only mode switched on, and no exceptions, click on this URL : http://schoolgateway.westminster.org.uk/?page_id=7.
Actual results:
Error message: "The requested service is temporarily unavailable. It is either overloaded or under maintenance. Please try later." No option to skip.
Expected results:
Report "Secure Site Not Available" with option to continue to HTTP site. (Once HTTPS-only mode is switched off, or the URL is added as an exception, the problem goes away.)
|
||
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•2 years ago
|
||
I can reproduce what you've described, but this isn't a "bug". This site simply doesn't exist on https:, and the error you are seeing is a generic error page from their hosting provider. The site is returning a "503" HTTP status which is kind of like a "404 Page Not Found" except more serious -- the site itself is "not found" because it's simply broken or missing. This kind of error often comes from a generic "traffic-management" server that sites in front of the real site (or more likely multiple sites), and it can't find the "real" content server in order to route traffic.
There's nothing in Firefox we can fix for that. "HTTPS Only" is intentionally very aggressive ("only!") which is why we haven't made it the default setting. When enabled it WILL NOT make an insecure connection unless the user explicitly says to do so. For this site you're going to have to add an exception. In the cases where we can't connect securely at all we can present a clear error page. In this kind of case, where we've connected to the site but then it returns an error page, we show the error page because sometimes those pages will contain instructions on where to go instead. We don't want to weaken the promises of the "HTTPS Only" mode by making insecure connections that the user hasn't explicitly requested. This feature is used by the Tor Browser (built on top of Firefox) and it replaces the popular (but niche) "HTTPS Everywhere" extensions from the EFF.
We are, however, working on a less aggressive "HTTPS First" mode. This does its best to load the secure version of a site, but it will silently fall-back to the insecure connection. That mode detects the "503" in this case and then doesn't do the upgrade (implemented in bug 1709552). It's probably more what you want. Currently https-first is the default mode in private browsing, where you can test that http://example.com gets converted to the https:// version of the site, but http://schoolgateway.westminster.org.uk/?page_id=7 does not. There are still a couple of bugs to work out before we make that the default for normal browsing.
Thank you for the very clear explanation, which I fully understand.
The problem is that adding an exception only works for me and not for less persistent users. Other users might see the "service not available" message, believe it, and go away, not realising that turning off HTTP-only or making an exception would take them to the required website. At the moment the "service not available" message leaves the user in a cul-de-sac with no way out.
I understand your reason for displaying the error page received from the server, but would it be possible to preface it with a message from Firefox suggesting that turning off HTTP-only for this site might be a solution, with any necessary warnings?
HTTP-first sounds good, but will still leave unaware users with the same problem if they have opted for HTTP-only instead.
Description
•