Open Bug 1877935 Opened 1 year ago Updated 4 days ago

Make sure we pass tests in WPT for https-upgrades

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

People

(Reporter: freddy, Assigned: simonf)

References

(Blocks 1 open bug)

Details

(Keywords: leave-open, spec-needed, Whiteboard: [domsecurity-active])

Attachments

(5 files, 8 obsolete files)

WIP: Bug 1877935 Fix HTTPS upgrade WPT tests r=freddyb
48 bytes, text/x-phabricator-request
Details | Review
Bug 1877935 Remove unneeded check r=freddyb
48 bytes, text/x-phabricator-request
Details | Review
Bug 1877935 Improve redirect test r=freddyb
48 bytes, text/x-phabricator-request
Details | Review
Bug 1877935 - Enable HTTPS-First for non-default ports r=maltejur
48 bytes, text/x-phabricator-request
Details | Review
Bug 1877935: Add prefs to pass https-upgrades WPT tests. r?freddyb!
48 bytes, text/x-phabricator-request
Details | Review

If we want to ship https-first, we ought to align on the HTTPS Upgrades proposal in whatwg. In turn, this means that we should support the tests (and make sure that wpt annotations for the https-upgrades/ folder point to DOM: Security and https-first-mode.

link to wpt dashboard for https-ugprades folder: https://wpt.fyi/results/https-upgrades/tentative?label=master&label=experimental&aligned

I also took a look at this recently. Even annotating all the testing/web-platform/meta/https-upgrades/tentative/*.html.ini files with prefs: [dom.security.https_first:true] does not seem to make the tests pass. So it seems to me that HTTPS-First does not yet work with those tests. I think that is because these tests use custom ports to test the upgrades. Quote from one of the tests:

HTTPS upgrades don't change custom ports, so this will load correctly if an HTTPS upgrade is performed, and will fail to load otherwise (since the port will be wrong for http).

I am pretty sure the WIP spec also supports this way of testing HTTPS upgrades. So the next step is probably to adjust our HTTPS-First behavior when it comes to custom ports. But when we notice that our behavior makes more sense, I could also imagine asking in the PR to adjust the spec and WPTs.

Simon, do you want to take a look at this, or should I work on it?

Blocks: 1855558
Flags: needinfo?(sfriedberger)
Assignee: nobody → sfriedberger
Flags: needinfo?(sfriedberger)
Whiteboard: [domsecurity-active]

Redirect chain information was reduced in https://bugzilla.mozilla.org/show_bug.cgi?id=1715785 because the redirect chains are passed to the content process.
This will cause a false-positive when the redirect only changes the query parameters.
This will fail https://wpt.fyi/results/https-upgrades/tentative/http-redirecting-to-http-redirecting-to-http.https.sub.html?label=master&label=experimental&aligned. It redirects multiple times to http://{{host}}:{{ports[https][0]}}/fetch/api/resources/redirect.py?location=.

Attachment #9390790 - Attachment is obsolete: true
Attachment #9390791 - Attachment is obsolete: true
Attachment #9390792 - Attachment is obsolete: true
Attachment #9390793 - Attachment is obsolete: true
Attachment #9390794 - Attachment is obsolete: true
Attachment #9390795 - Attachment is obsolete: true
Attachment #9390804 - Attachment is obsolete: true

Adds an additional test which redirects to a different host using HTTP.
Such a request should be upgraded by HTTPS-first.

Depends on D204369

Keywords: leave-open

The leave-open keyword is there and there is no activity for 6 months.
:simonf, maybe it's time to close this bug?
For more information, please visit BugBot documentation.

Flags: needinfo?(sfriedberger)
Blocks: 1921214
No longer blocks: https-first-mode
Depends on: 1742061
No longer depends on: 1742061
Blocks: https-first-release
Flags: needinfo?(sfriedberger)
Keywords: spec-needed

Depends on D225241

Attachment #9430192 - Attachment is obsolete: true
Pushed by sfriedberger@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ca419c505418 Enable HTTPS-First for non-default ports r=maltejur,necko-reviewers,devtools-reviewers
Regressions: 1938361
Pushed by sfriedberger@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7a267748097e Add prefs to pass https-upgrades WPT tests. r=freddyb
Regressions: 1943567
See Also: → 1897075

When trying to enable this globally some BFCache tests are failing this might be due to Bug 1897075.

Just to give a status update. Tests on wpt do not use default ports and the feature is entirely built in a way that only upgrades when a connection is using a default port, which makes it a bit... hard to test.

We could set a pref to upgrade non-default ports in tests only, but no other browser seems to do that and the tests are apparently in a bit of a dire situation.

Thinking about this, I think the best case scenario would be for us to share a set of test cases that Firefox passes and set the pref such that other browsers can see what we do. Seems like others are not really interested in maintaining or passing these tests anyway.

I'm downranking the priority as there is nothing we would gain from this at the moment (but potentially longer term). It's not required for our release.

Priority: P2 → P4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: