1884921 - HTTPS-First should add a temporary exception for sites that it is not able to upgrade

Status: RESOLVED FIXED

(Core :: DOM: Security, enhancement, P2)

Description

[Malte Jürgens [:maltejur]]

As discussed in the HTTPS adoption meeting, we want to add a temporary HTTPS-Only/First exception when HTTPS-First encounters a situation on a site where it can not upgrade. This would have the following advantages:

1. It would decrease the additional page load time that HTTPS-First introduces. On sites which can't be upgraded to HTTPS because they time out there, we can only detect that by firing a additional HTTP request after 3s to see if the page is available quicker via HTTP. That introduces 3s of additional load time, which will happen on every navigation. By adding a temporary exception when the first upgrade isn't possible, we won't try to upgrade on subsequent loads, and thus save a lot of time.
2. I talked with Manuel about this: It would actually fix some very specific upgrade-downgrade loops (like the one on bom.gov.au), because once we encounter any sort of incompatibility with HTTPS-First (which we do on bom.gov.au), we disable HTTPS-First by setting the exception.

Implementation-wise this should be pretty easy. Before IsUpgradeDowngradeEndlessLoop would return true, we just need to add a temporary exception for the current site. Ideally, that exception would have a expire time (like 48 hours), after which it gets deleted. The permission manager should support this, but it would create permissions that would look confusing in the current UI (identity pane and settings). So I think for now we should just set session exceptions that will be cleared on browser restart, which the current UI already supports. Changing that to expire times could be done in a follow-up bug.

My only fear with this is that maybe there is a case where it would add a exception for a site that (mosty) supports HTTPS. But I currently don't know any site where it would behave like that, so we will need to do testing once this is implemented.

Comment 1

[Malte Jürgens [:maltejur]]

We would also need to clear temporary exceptions when the user switches between HTTPS-First and HTTPS-Only, otherwise we could automatically create an exception through HTTPS-First that would then circumvent HTTPS-Only when the user switches to that.

Comment 2

[Malte Jürgens [:maltejur]]

Attachment: Bug 1884921 - HTTPS-First should add a temporary exception for sites that it is not able to upgrade r?freddyb!,simonf!

Comment 4

[Malte Jürgens [:maltejur]]

Attachment: Bug 1884921 - Update HTTPS-First Tests to work with new exception behaviour on failiure r?freddyb!

Comment 5

[Pulsebot]

Pushed by mjurgens@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f8df3c6cf669
HTTPS-First should add a temporary exception for sites that it is not able to upgrade r=freddyb,simonf
https://hg.mozilla.org/integration/autoland/rev/00f574fb9f0c
Update HTTPS-First Tests to work with new exception behaviour on failiure r=freddyb

Comment 6

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/f8df3c6cf669
https://hg.mozilla.org/mozilla-central/rev/00f574fb9f0c