1863286 - Schemeless HTTPS-First overrides HTTPS-Only in identity pane

Status: VERIFIED FIXED

(Core :: DOM: Security, defect)

Description

[Malte Jürgens [:maltejur]]

To reproduce:

1. Enable both dom.security.https_first_schemeless and dom.security.https_only_mode
2. Visit http://https-everywhere.badssl.com/
3. Check the identity pane (lock icon)

Expected: We see the HTTPS-Only exception UI
Actually: The HTTPS-Only exception UI is hidden as the identity pane thinks this was a schemeless upgrade

Comment 1

[Malte Jürgens [:maltejur]]

Attachment: Bug 1863286 - Schemeless HTTPS-First overrides HTTPS-Only in identity pane r?freddyb

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1812192

Comment 3

[Pulsebot]

Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/39e7e0a18465
Schemeless HTTPS-First overrides HTTPS-Only in identity pane r=freddyb

Comment 4

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/39e7e0a18465

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:mjurgens, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox120 to wontfix.

For more information, please visit BugBot documentation.

Comment 6

[Monica Chiorean]

Verified that "Automatically upgrade this site to a secure connection" is not displayed before the fix in Win10x64 using FF build 120.0, but displayed after fix on Win10x64/Mac14 using FF build 121.0b4.