Closed Bug 1978358 Opened 17 days ago Closed 16 days ago

The Firefox search bar visually (graphical interface) connects to URLs entered by the user first via HTTP and then via HTTPS.

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 140
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1904837

People

(Reporter: littlephoenix85, Unassigned)

Details

Attachments

(3 files)

dom.security.https_first
87.45 KB, image/png
Details
Firefox search bar (graphical interface) from HTTP to HTTPS
523.12 KB, video/mp4
Details
Firefox search bar (graphical interface) from HTTP to HTTPS (2025-07-24 18-24-38)
188.69 KB, video/mp4
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0

Steps to reproduce:

Enter a complete URL into the search bar of your browser's GUI.
Linux 6.15.6-200.fc42.x86_64
Fedora Linux 42 (Workstation Edition)
Firefox 140.0.4
64-bit

Actual results:

The Firefox search bar visually (graphical interface) connects to URLs entered by the user first via HTTP and then via HTTPS. Using the netstat -tupan command, I verified active connections between the dynamic port (client side) and port 443 of the websites. There are no active connections via port 80 or 8080. I've already updated the system and browser, and the https-only security mode is active.
I checked the Firefox man page from the command line to find a workaround (RTFM). But I didn't find a solution.

Expected results:

I can't tell if this is just a graphical issue or a security flaw that has already been exploited.

Moving to DOM security for HTTPS only / HTTPS first

Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core

dom.security.https_first is already true

In this video, I pasted the URL www.google.it into the Firefox search bar to make the report clearer.

Group: core-security → dom-core-security

"www.google.it" is not a URL, so first the address bar has to decide if you meant to do a search or meant to load a website. In this case it decides it's a domain name and does a "fixup" to turn it into a real URL so it can tell the browser engine to load it. This is what you're seeing—it is not connecting to "http://www.google.it".

You have "HTTPS Only" enabled, so the browser engine converts that to https://www.google.it internally. It never connects to the insecure site at all.

  • Should the front end fix-up use https: instead of http:? Yes: there is a bug filed on that
  • Should the front end fix-up especially do this when HTTPS-only is turned on? again, yes

This is just a visual problem, not insecure.

Group: dom-core-security
Keywords: dupeme

(In reply to Daniel Veditz [:dveditz] from comment #4)

  • Should the front end fix-up use https: instead of http:? Yes: there is a bug filed on that

I couldn't find this, though I found bug 1812192 which is strongly related. Hopefully Malte knows where we're tracking the overall fixup story at this point.

Flags: needinfo?(maltejur)

This sounds like a duplicate of Bug 1904837. That bug apparently got closed as WONTFIX, because it could get "fixed" eventually if Bug 1736955 is implemented, and no scheme is displayed at all. But as I don't know how likely it is that that will actually happen, and also to make it easier to find that bug for other people in the future, we may want to consider reopening it.

Status: UNCONFIRMED → RESOLVED
Closed: 16 days ago
Duplicate of bug: 1904837
Flags: needinfo?(maltejur)
Resolution: --- → DUPLICATE

In the fedora live (fedora 42 - 64 bit - workstation edition), firefox (136.0.3) does not have this anomaly. At this point I will implement a clean install and then I will let you know.

I performed a clean install of Fedora 42 from the most recent netinstall ISO (April 2025): https://fedora.mirror.garr.it/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-netinst-x86_64-42-1.1.iso.
After updating the entire system, I tested Mozilla Firefox 141.0. The visual anomaly previously reported (also in the attached documentation) has disappeared. I configured Firefox for https-only connections, but netstat for firefox detects connections between: the dynamic port (client side) and port 443 (website side); the dynamic port (client side) and port 80 (website side).

I haven't made any updates or changes to the system since my previous comment, but the bug has recurred.
In the new attached video, it's visible in a fraction of a second (after the ninth second of the 15-second video).

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: