[Rollout] HTTPS-Only mode about:preferences UI does not control the feature once enrolled in the rollout
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox128 | --- | affected |
| firefox129 | --- | unaffected |
| firefox130 | --- | unaffected |
People
(Reporter: ppop, Assigned: maltejur)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
|
842.61 KB,
image/gif
|
Details |
https-only_UI.gif
[Affected versions]:
- Firefox Release 125.0.3 (Build #20240425211020)
- Firefox Release 128.0 (Build #20240704121409)
[Affected Platforms]:
- Windows 10 x64
- macOS 14.4
- Ubuntu 22.04 x64
[Prerequisites]:
- Have the latest Firefox Release 128 installed.
- Have a browser profile enrolled in the HTTPS as default protocol rollout (https://experimenter.services.mozilla.com/nimbus/https-as-default-protocoll-in-address-bar/summary).
[Steps to reproduce]:
- Open the browser with the profile from the prerequisites.
- Navigate to the about:preferences#privacy page and scroll down to the HTTPS-Only Mode section.
- Click the "Enable HTTPS-Only Mode in private windows only" option.
- Navigate to the "upgradable.httpsonly.polar.onl/" page and observe the address bar.
- Navigate to the about:preferences#privacy page and click the "Don’t enable HTTPS-Only Mode" option.
- Navigate to the "upgradable.httpsonly.polar.onl/" page and observe the address bar.
[Expected result]:
- The HTTP protocol is not upgraded to HTTPS on non-private browsing windows.
[Actual result]:
- The HTTP protocol is upgraded to HTTPS regardless of the option chosen.
[Notes]:
- The about:preferences UI correctly controls the feature while not enrolled in the rollout.
- While enrolled in the rollout the UI is also set to "Don’t enable HTTPS-Only Mode" by default, while the feature is already enabled in all windows (normal browsing by the rollout and in PBM by default)
- Attached a screen recording of the issue:
|
Assignee | |
Comment 1•7 months ago
|
||
HTTPS-Only is a mostly separate feature from "schemeless HTTPS-First" ("HTTPS as default protocoll in address bar"). What is being rolled out currently is just changing the default protocol/scheme in the address bar, while HTTPS-Only will try to upgrade all connections to HTTPS, and also block everything that it is not able to upgrade, instead of falling back to HTTP (which is what is happening for schemeless HTTPS-First).
There is some interaction between the two features though. Enabling HTTPS-Only will "override" schemeless HTTPS-First, as it is much stricter. That essentially means the dom.security.https_first_schemeless pref being rolled out doesn't matter if HTTPS-Only is enabled in the settings UI. Because of that, for simplicity's sake, we decided to roll out schemeless HTTPS-First regardless of weather HTTPS-Only is enabled.
Also of note: Later this year we plan to ship yet another mode of upgrading requests called "HTTPS-First" (not just schemeless). That will upgrade all page loads (not just address bar loads without a scheme, but also clicks on links like http://google.com). But compared to HTTPS-Only, it will also provide a fallback. Before we ship that, we still want to update the HTTPS-Only settings UI slightly to make it less confusing and clearer that there are other ways Firefox will upgrade requests (that UX work is tracked in Bug 1904989). HTTPS-First is also already enabled by default right now in private browsing.
|
||
Updated•7 months ago
|
|
|
Assignee | |
Updated•7 months ago
|
Description
•