dom.security.https_only_mode - impossible to set exceptions
Categories
(Firefox :: Enterprise Policies, enhancement, P2)
Tracking
()
People
(Reporter: pascal.reintjens, Assigned: mkaply)
References
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Steps to reproduce:
- Created a policies.json file with the following contents:
{
"policies": {
"Preferences": {
"dom.security.https_only_mode": {
"Value": true,
"Status": "locked"
}
}
}
}
- Subsequently, placed this file within the installation directory: C:\Program Files\Mozilla Firefox\distribution\policies.json
- restarted the browser and went to
Settings > Privacy & Security > HTTPS-Only Mode
Actual results:
The HTTPS-Only Mode is enabled and enforced, the user can set exceptions by himself by clicking on Manage exceptions
, but it is not possible to add exceptions via policy.
Expected results:
It should be possible to set exceptions from HTTPS-Only Mode via Policy.
Additionally it would be great to get an option to block the user from setting any exceptions himself.
Maybe the whole HTTPS-Only Mode is a good candidate for an own policy option instead of setting it via Preferences.
Reporter | ||
Comment 1•2 months ago
|
||
To clarify, I would like to block the user from setting the permanent exceptions. The temporary ones would be fine.
Comment 2•2 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::Enterprise Policies' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 3•1 month ago
|
||
Hello! Thank you for submitting this issue I will mark it as NEW in order to get our developers involved and take it into consideration for further releases.
Have a nice day!
Assignee | ||
Comment 4•1 month ago
|
||
Do you know if Chrome or Edge have a similar exception policy?
Reporter | ||
Comment 5•1 month ago
|
||
For example Edge has the "AutomaticHttpsDefault" Policy, which can be set to AlwaysUpgrade (2):
https://learn.microsoft.com/en-US/deployedge/microsoft-edge-policies#automatichttpsdefault
Afterwards you can specify exceptions from this via "HttpAllowlist":
https://learn.microsoft.com/en-US/deployedge/microsoft-edge-policies#httpallowlist
Assignee | ||
Comment 6•1 month ago
|
||
Thanks!
I think it makes sense to emulate this.
An exception policy for dom.block_download_insecure
would also seem to make sense while adding this.
It is likely that an exception policy for dom.security.https_only_mode
and dom.block_download_insecure
would be used in a similar manner, the most likely use case being to allow enterprise users to keep things secure, while providing exceptions for sites that are only accessible internally, and therefore do not need or have SSL enabled.
Assignee | ||
Comment 8•29 days ago
|
||
Since there isn't support for exception to dom.block_download_insecure in the browser, I wouldn't be able to easily add a separate list.
Unrelated. So there are three policies (two chrome, one edge)
https://chromeenterprise.google/policies/#HttpsUpgradesEnabled
https://chromeenterprise.google/policies/#HttpsOnlyMode
https://learn.microsoft.com/en-US/deployedge/microsoft-edge-policies#automatichttpsdefault
And on Firefox, we offer a choice to enable https upgrade in just private windows.
So I'm thinking I'm going to name it HttpsOnlyMode
And provide an option for private mode only.
How important do you think it is that I allow admins to choose whether or not this option is locked? OR should the policy always lock it?
Assignee | ||
Comment 9•29 days ago
|
||
Updated•29 days ago
|
Reporter | ||
Comment 10•28 days ago
|
||
I think that there will be companies that don't want to lock it (for example smaller ones without a service desk) and companies that do. For this reason, I would be in favor of an option to lock it.
Assignee | ||
Updated•28 days ago
|
Comment 12•12 days ago
|
||
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/641eacd823c9 Add policies for HTTPS only mode. r=freddyb,fluent-reviewers,bolsson
Comment 13•12 days ago
|
||
bugherder |
Updated•5 days ago
|
Description
•