1864464 - HTTPS-Only code in site identity panel doesn't handle nested URIs correctly

Status: VERIFIED FIXED

(Core :: DOM: Security, defect, P3)

Description

[Malte Jürgens [:maltejur]]

Follow-up from Bug 1855734

:dveditz mentioned

The Site Identity panel code in browser/base/content/browser-siteIdentity.js doesn't seem to deal with [nested URIs] correctly. Stripping view-source off the URL will work, but means every kind of nested URL has to be dealt with individually and indeed, this code also has a special-case "jar" section (that won't handle nested jar files, which can happen!)
https://searchfox.org/mozilla-central/rev/37d9d6f0a77147292a87ab2d7f5906a62644f455/browser/base/content/browser-siteIdentity.js#1125-1127,1155-1166

Instead it should have done something like this up at the top of setURI()

    if (uri instanceof Ci.nsINestedURI)
      uri = uri.QueryInterface(Ci.nsINestedURI).innerMostURI;
    }

More specific, I am seeing the following issue:

1. Enable HTTPS-Only mode
2. Visit view-source:http://google.com
3. Open the identity pane (lock icon), and select "Off" in the HTTPS-Only dropdown
4. Close and reopen the identity pane

Expected result: The value of the dropdown is now "Off"
Actual result: The dropdown is empty, which should never happen

Comment 1

[Malte Jürgens [:maltejur]]

Attachment: Bug 1864464 - Fix HTTPS-Only nested URI handling in identity panel r?freddyb

Comment 2

[Pulsebot]

Pushed by mjurgens@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fa335f007969
Fix HTTPS-Only nested URI handling in identity panel r=freddyb

Comment 3

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/fa335f007969

Comment 4

[Giorgia Nichita, Release Desktop QA]

eproduced this issue on an affected Nightly build from 2023-11-13, on Win 10.
Verified as fixed on Firefox 123.0b2 (20240124102023) across the following platforms: Win 10, Ubuntu 22 and macOS 10.15. The value of the dropdown is Off.