Closed Bug 1888548 Opened 2 months ago Closed 12 days ago

dom.security.https_only_mode - impossible to set exceptions

Categories

(Firefox :: Enterprise Policies, enhancement, P2)

Product:
Firefox
Component:
Enterprise Policies
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox126 --- wontfix
firefox127 --- fixed

People

(Reporter: pascal.reintjens, Assigned: mkaply)

References

Details

Attachments

(1 file)

Bug 1888548 - Add policies for HTTPS only mode. r?freddyb
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

  1. Created a policies.json file with the following contents:
{
	"policies": {
		"Preferences": {	
			"dom.security.https_only_mode": {
				"Value": true,
				"Status": "locked"	
			}
		}
	}	
}
  1. Subsequently, placed this file within the installation directory: C:\Program Files\Mozilla Firefox\distribution\policies.json
  2. restarted the browser and went to Settings > Privacy & Security > HTTPS-Only Mode

Actual results:

The HTTPS-Only Mode is enabled and enforced, the user can set exceptions by himself by clicking on Manage exceptions, but it is not possible to add exceptions via policy.

Expected results:

It should be possible to set exceptions from HTTPS-Only Mode via Policy.
Additionally it would be great to get an option to block the user from setting any exceptions himself.
Maybe the whole HTTPS-Only Mode is a good candidate for an own policy option instead of setting it via Preferences.

To clarify, I would like to block the user from setting the permanent exceptions. The temporary ones would be fine.

The Bugbug bot thinks this bug should belong to the 'Firefox::Enterprise Policies' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Enterprise Policies

Hello! Thank you for submitting this issue I will mark it as NEW in order to get our developers involved and take it into consideration for further releases.

Have a nice day!

Status: UNCONFIRMED → NEW
status-firefox126: --- → affected
Ever confirmed: true

Do you know if Chrome or Edge have a similar exception policy?

For example Edge has the "AutomaticHttpsDefault" Policy, which can be set to AlwaysUpgrade (2):
https://learn.microsoft.com/en-US/deployedge/microsoft-edge-policies#automatichttpsdefault

Afterwards you can specify exceptions from this via "HttpAllowlist":
https://learn.microsoft.com/en-US/deployedge/microsoft-edge-policies#httpallowlist

Thanks!

I think it makes sense to emulate this.

An exception policy for dom.block_download_insecure would also seem to make sense while adding this.

It is likely that an exception policy for dom.security.https_only_mode and dom.block_download_insecure would be used in a similar manner, the most likely use case being to allow enterprise users to keep things secure, while providing exceptions for sites that are only accessible internally, and therefore do not need or have SSL enabled.

Since there isn't support for exception to dom.block_download_insecure in the browser, I wouldn't be able to easily add a separate list.

Unrelated. So there are three policies (two chrome, one edge)

https://chromeenterprise.google/policies/#HttpsUpgradesEnabled
https://chromeenterprise.google/policies/#HttpsOnlyMode
https://learn.microsoft.com/en-US/deployedge/microsoft-edge-policies#automatichttpsdefault

And on Firefox, we offer a choice to enable https upgrade in just private windows.

So I'm thinking I'm going to name it HttpsOnlyMode

And provide an option for private mode only.

How important do you think it is that I allow admins to choose whether or not this option is locked? OR should the policy always lock it?

Assignee: nobody → mozilla
Status: NEW → ASSIGNED

I think that there will be companies that don't want to lock it (for example smaller ones without a service desk) and companies that do. For this reason, I would be in favor of an option to lock it.

Duplicate of this bug: 1892658
Severity: -- → S2
Priority: -- → P2
Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/641eacd823c9
Add policies for HTTPS only mode. r=freddyb,fluent-reviewers,bolsson

https://hg.mozilla.org/mozilla-central/rev/641eacd823c9

Status: ASSIGNED → RESOLVED
Closed: 12 days ago
status-firefox127: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: