1844742 - Expose HTTPS-First in Settings

Status: RESOLVED WONTFIX

(Core :: DOM: Security, enhancement)

Description

[Malte Jürgens [:maltejur]]

Attachment: Screenshot_20230721_104558.png

Since HTTPS-First is already enabled by default in Private Browsing, it would only make sense to let the user have some more control over it in the settings. Currently, this is only possible via about:config.

There also still is the open terminology question about how "HTTPS-First" should be called for the user. Having both "HTTPS-Only" and "HTTPS-First", which do two very similar things could be confusing. So we could consider calling both "HTTPS-Only", and only have a checkbox which allows you to enable or disable "silent fallbacks to HTTP", which would correspond to HTTPS-First. I have attached an experimental implementation of how this could look like, but keep in mind that this is just an early exploration of how these settings could look like. This implementation would also have the downside that the user could not enable HTTPS-First everywhere and HTTPS-Only in PBM.

Comment 1

[Malte Jürgens [:maltejur]]

Attachment: WIP: Bug 1844742: Expand HTTPS-Only settings to include HTTPS-First and Schemeless Upgrades r?freddyb

Depends on D183745

Comment 3

[Malte Jürgens [:maltejur]]

Attachment: WIP: Bug 1844742 - Rework HTTPS-Only/First Settings UI

Comment 4

[Malte Jürgens [:maltejur]]

Due to HTTPS-First being standardized as HTTPS Upgrades, we have decided to continue not including a option to toggle it in the settings UI.

As there could still be confusion though by requests being upgraded, even when HTTPS-Only is disabled in the settings, we still want to update the strings for the HTTPS-Only settings to make it a bit clearer what is happening. I have opened Bug 1907517 for that.