Closed Bug 1904989 Opened 8 months ago Closed 6 months ago

HTTPS-First confuses people because HTTPS-Only Mode is disabled

Categories

(Core :: DOM: Security, task, P2)

Product:
Core
Component:
DOM: Security
Version:
Firefox 129
Platform:
Desktop
Windows 10
Type:
task

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: yrpwcekcathhabglhr, Assigned: maltejur)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0

Steps to reproduce:

Visited http://images7.alphacoders.com/975/975030.jpg

Actual results:

Don’t enable HTTPS-Only Mode option not working in latest firefox nightly v 129.0a1 (2024-06-26) with addons disabled.

From about:config
dom.security.https_first_pbm is false.

When I visit this URL it automatically tried to redirect from HTTP to HTTPS even tough network.http.redirection-limit is 0.

From developer tools network tab I see NS_ERROR_REDIRECT_LOOP because it is trying to redirect me to https. And I also see Upgrade-Insecure-Requests: 1 header under request headers.

If I use browser toolbox then I see yellow warning text:
HTTPS-First Mode: Upgrading insecure request “http://images7.alphacoders.com/975/975030.jpg” to use “https”.

So the browser does not respect HTTPS-Only Mode.

When I use mitm proxy then my proxy does not even receive the request so firefox somehow decides locally that it needs to use https without even requesting the resource.

Expected results:

When user selects HTTPS-Only Mode then browser should respect user not to try to enforce it's own agenda or views.

In other words, browser should load image without redirecting to https. Console should not display NS_ERROR_REDIRECT_LOOP and developer tools should not show warning HTTPS-First Mode: Upgrading insecure request “http://images7.alphacoders.com/975/975030.jpg” to use “https”.

OS: Unspecified → Windows 10
Hardware: Unspecified → Desktop
Version: Firefox 126 → Firefox 129

Problem is that this setting does not turn dom.security.https_first pref to false.

The Bugbug bot thinks this bug should belong to the 'DevTools::Netmonitor' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Netmonitor
Product: Firefox → DevTools

Or alrternative solutions could be to either add checkbox for https first to settings page or update browser toolbox message that said HTTPS-First Mode: Upgrading insecure request “http://images7.alphacoders.com/975/975030.jpg” to use “https” to include hint for dom.security.https_first.

It could be also useful if this message would include it's source in browser toolbox. For example other messages have this mjs file on right end side of console so that I can click and explore the code file but this http warning does not. If it showed which js or mjs file caused this error then I could the source code to get hints on how to get what I want. For now setting dom.security.https_first pref to false seem to have fixed it but for future it would be nice if this message had link to code so that I could read what pref to modify.

Sorry for spamming comments. I would have edited initial post but this site did not seem to allow editing text itself so every time I want to add something I have to post it as a comment.

Component: Netmonitor → General
Product: DevTools → Firefox

Ok after reading the comments in more details, I'm moving back to devtools. Sounds like this is now more a question about hinting at the preference to disable the feature. I don't we should as devtools recommend to enable or disable such a pref, but if there is a documentation we can link to from folks working on https first, maybe we can add a "learn more" link ?

Product: Firefox → DevTools

Is there a documentation (MDN, hacks post) about https first which would be useful for us to link in the warning messages related to https-first?

To be clear: I don't think we should encourage users to disable the pref, and if there's no mention of this in any documentation it's fine. But if there are helpful resources so that users can learn more about why this is happening, that could still be worth adding. Interested to know what you and your team think about this topic.

Flags: needinfo?(fbraun)

Yes. We are enabling HTTPS-First in Firefox Nightly, which behaves similar but not exactly like HTTPS-Only. We should fix the documentation and look at settings & expectations, however Firefox will keep upgrading websites regardless of settings and this aligns us with broader improvements towards more encryption on the web (see "Outlook" section in our blog post here https://blog.mozilla.org/security/2024/06/05/firefox-will-upgrade-more-mixed-content-in-version-127/)

Flags: needinfo?(fbraun)

Action items:

  • We should consider add a note to the HTTPS-Only switch along the lines of "Firefox will still upgrade some websites". Maybe previous wording from Jeff will come in handy here.
  • We should make sure DevTools are properly logging all updates and pointing to a proper article on SUMO.
Blocks: https-first-mode
Type: defect → task
Component: General → DOM: Security
Product: DevTools → Core
Summary: Don’t enable HTTPS-Only Mode not working → HTTPS-First people is confusing because HTTPS-Only Mode is disabled.
Priority: -- → P2
Assignee: nobody → maltejur
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [domsecurity-active]
Duplicate of this bug: 1859850
Summary: HTTPS-First people is confusing because HTTPS-Only Mode is disabled. → HTTPS-First confuses people because HTTPS-Only Mode is disabled
No longer depends on: 1907518

I think bug 1907517 should have fixed most this. We should be OK to close this.

Status: NEW → RESOLVED
Closed: 6 months ago
Depends on: 1907518
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.