Closed Bug 1844978 Opened 2 years ago Closed 2 years ago

https-only exceptions misinterpret attempted wildcards for a domain

Categories

(Firefox :: Site Permissions, defect, P3)

Product:
Firefox
Component:
Site Permissions
Version:
Firefox 115
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
118 Branch
Tracking Flags:
Tracking Status
firefox118 --- fixed

People

(Reporter: bz-moz, Assigned: maltejur)

Details

Attachments

(1 file)

Bug 1844978 - Discard permission dialog inputs which start with a http(s) scheme and can't be turned into a principal r?#permissions-reviewers
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

  • Activate https-only mode
  • Open exceptions dialog for https
  • Enter a domain, attempt to use a wildcard (even though the online-help asks for exact domain names, e.g. enter "*.neverssl.com"
  • Note the error message to enter a valid domain name, but don't give up - try again:
  • enter "http://*.neverssl.com"

(note that you won't need an exception for subdomains of neverssl.com for the site to work, but this applies to local domains used in development environments as well)

Actual results:

When entering "http://*.neverssl.com", Firefox lists "http;//http" and "https://http" as exceptions for the https-only mode. E.g. the colon following "http" is likely interpreted as the port number separator, and everything else is ignored. This happens silently, e.g. when there are already exceptions in the list, the user has no visual feedback about the actual value entered.

Expected results:

I'd have expected one of the following (in decreasing order of personal preference)

  • wildcards to be accepted, to be able to enter a local development domain, including subdomains, as an exception
  • Full URL including "http://" being either rejected, or interpreted correctly (it's not that unusual to enter them, as the protocol will appear in the exceptions list anyway)

Another generally good option would be to either:

  • give explicit feedback about the changed values
  • display the new exception on top of the list of exceptions: If there are already some exceptions, the unexpected interpretation of the URL goes unnoticed, as it appears at the end of the list. And the existing exceptions make it look like the protocol should be entered as well.
Component: Untriaged → DOM: Security
Product: Firefox → Core

Malte: can you take a look?

Flags: needinfo?(mjurgens)

I can reproduce this behavior, but as far as I can tell, these dialogs generally don't accept wildcards. For example, the same behavior also happens on the "Cookies and Site Data" exceptions dialog. But I agree that a error would be better here than just accepting some badly parsed input.

Status: UNCONFIRMED → NEW
Component: DOM: Security → Settings UI
Ever confirmed: true
Flags: needinfo?(mjurgens)
Product: Core → Firefox
Assignee: nobody → mjurgens
Status: NEW → ASSIGNED
Component: Settings UI → Site Permissions
Severity: -- → S4
Type: enhancement → defect
Priority: -- → P3
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/74e7e1c0f01e Discard permission dialog inputs which start with a http(s) scheme and can't be turned into a principal r=settings-reviewers,Gijs

https://hg.mozilla.org/mozilla-central/rev/74e7e1c0f01e

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox118: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: