HTTPS-Only code in site identity panel doesn't handle nested URIs correctly
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox123 | --- | verified |
People
(Reporter: maltejur, Assigned: maltejur)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
Follow-up from Bug 1855734
:dveditz mentioned
The Site Identity panel code in browser/base/content/browser-siteIdentity.js doesn't seem to deal with [nested URIs] correctly. Stripping view-source off the URL will work, but means every kind of nested URL has to be dealt with individually and indeed, this code also has a special-case "jar" section (that won't handle nested jar files, which can happen!)
https://searchfox.org/mozilla-central/rev/37d9d6f0a77147292a87ab2d7f5906a62644f455/browser/base/content/browser-siteIdentity.js#1125-1127,1155-1166Instead it should have done something like this up at the top of
setURI()
if (uri instanceof Ci.nsINestedURI) uri = uri.QueryInterface(Ci.nsINestedURI).innerMostURI; }
More specific, I am seeing the following issue:
- Enable HTTPS-Only mode
- Visit
view-source:http://google.com
- Open the identity pane (lock icon), and select "Off" in the HTTPS-Only dropdown
- Close and reopen the identity pane
Expected result: The value of the dropdown is now "Off"
Actual result: The dropdown is empty, which should never happen
Updated•11 months ago
|
Assignee | ||
Comment 1•10 months ago
|
||
Comment 3•9 months ago
|
||
bugherder |
Updated•8 months ago
|
Comment 4•8 months ago
|
||
eproduced this issue on an affected Nightly build from 2023-11-13, on Win 10.
Verified as fixed on Firefox 123.0b2 (20240124102023) across the following platforms: Win 10, Ubuntu 22 and macOS 10.15. The value of the dropdown is Off
.
Description
•