Closed Bug 771788 Opened 8 years ago Closed 3 years ago

Use HTTPS instead of HTTP for in-product URLs

Categories

(Firefox :: General, defect)

defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: eldmannen+mozilla, Unassigned)

References

Details

(Keywords: meta)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Build ID: 20120615112143

Steps to reproduce:

about:config
Search: http://


Actual results:

app.releaseNotesURL;http://www.mozilla.com/%LOCALE%/%APP%/%VERSION%/releasenotes/
app.support.baseURL;http://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
app.update.url.details;http://www.mozilla.com/%LOCALE%/%APP%/releases/
app.update.url.manual;http://www.firefox.com
app.vendorURL;http://www.mozilla.com/%LOCALE%/%APP%/
breakpad.reportURL;http://crash-stats.mozilla.com/report/index/
browser.contentHandlers.types.0.uri;http://fusion.google.com/add?feedurl=%s
browser.contentHandlers.types.1.uri;http://add.my.yahoo.com/rss?url=%s
browser.geolocation.warning.infoURL;http://www.mozilla.com/%LOCALE%/firefox/geolocation/
browser.safebrowsing.malware.reportURL;http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=%NAME%&hl=%LOCALE%&site=
browser.safebrowsing.provider.0.gethashURL;http://safebrowsing.clients.google.com/safebrowsing/gethash?client={moz:client}&appver={moz:version}&pver=2.2
browser.safebrowsing.provider.0.reportErrorURL;http://{moz:locale}.phish-error.mozilla.com/?hl={moz:locale}
browser.safebrowsing.provider.0.reportGenericURL;http://{moz:locale}.phish-generic.mozilla.com/?hl={moz:locale}
browser.safebrowsing.provider.0.reportMalwareErrorURL;http://{moz:locale}.malware-error.mozilla.com/?hl={moz:locale}
browser.safebrowsing.provider.0.reportMalwareURL;http://{moz:locale}.malware-report.mozilla.com/?hl={moz:locale}
browser.safebrowsing.provider.0.reportPhishURL;http://{moz:locale}.phish-report.mozilla.com/?hl={moz:locale}
browser.safebrowsing.provider.0.reportURL;http://safebrowsing.clients.google.com/safebrowsing/report?
browser.safebrowsing.provider.0.updateURL;http://safebrowsing.clients.google.com/safebrowsing/downloads?client={moz:client}&appver={moz:version}&pver=2.2
browser.safebrowsing.warning.infoURL;http://www.mozilla.com/%LOCALE%/firefox/phishing-protection/
extensions.input.brokenURL;http://input.mozilla.com/feedback#broken
extensions.input.happyURL;http://input.mozilla.com/happy
extensions.input.ideaURL;http://input.mozilla.com/feedback#idea
extensions.input.sadURL;http://input.mozilla.com/sad
gecko.handlerService.schemes.mailto.0.uriTemplate;http://compose.mail.yahoo.com/?To=%s
gecko.handlerService.schemes.webcal.0.uriTemplate;http://30boxes.com/external/widget?refer=ff&url=%s
toolkit.telemetry.infoURL;http://www.mozilla.com/legal/privacy/firefox.html#telemetry

On 'app.update.url.manual;http://www.firefox.com' suffix a slash at the end to make it FQDN.


Expected results:

The secure HTTPS protocol should have been used, not the insecure HTTP protocol.
Can anyone with good authority on this subject address why updates, and various web-based security functions, are delivered with HTTP, and not HTTPS?
Component: Untriaged → General
Keywords: meta
Summary: Use HTTPS instead of HTTP → Use HTTPS instead of HTTP for in-product URLs
OS: Linux → All
Hardware: x86_64 → All
(In reply to Eldmannen from comment #0)
> app.releaseNotesURL;http://www.mozilla.com/%LOCALE%/%APP%/%VERSION%/
> releasenotes/
> app.support.baseURL;http://support.mozilla.org/1/firefox/%VERSION%/%OS%/
> %LOCALE%/
> app.update.url.details;http://www.mozilla.com/%LOCALE%/%APP%/releases/
> app.update.url.manual;http://www.firefox.com
> app.vendorURL;http://www.mozilla.com/%LOCALE%/%APP%/
> browser.geolocation.warning.infoURL;http://www.mozilla.com/%LOCALE%/firefox/
> geolocation/
> toolkit.telemetry.infoURL;http://www.mozilla.com/legal/privacy/firefox.
> html#telemetry

Now bug 840687.

> breakpad.reportURL;http://crash-stats.mozilla.com/report/index/

Bug 840682.

> browser.safebrowsing.malware.reportURL;http://safebrowsing.clients.google.
> com/safebrowsing/diagnostic?client=%NAME%&hl=%LOCALE%&site=
> browser.safebrowsing.provider.0.gethashURL;http://safebrowsing.clients.
> google.com/safebrowsing/gethash?client={moz:client}&appver={moz:
> version}&pver=2.2
> browser.safebrowsing.provider.0.reportErrorURL;http://{moz:locale}.phish-
> error.mozilla.com/?hl={moz:locale}
> browser.safebrowsing.provider.0.reportGenericURL;http://{moz:locale}.phish-
> generic.mozilla.com/?hl={moz:locale}
> browser.safebrowsing.provider.0.reportMalwareErrorURL;http://{moz:locale}.
> malware-error.mozilla.com/?hl={moz:locale}
> browser.safebrowsing.provider.0.reportMalwareURL;http://{moz:locale}.malware-
> report.mozilla.com/?hl={moz:locale}
> browser.safebrowsing.provider.0.reportPhishURL;http://{moz:locale}.phish-
> report.mozilla.com/?hl={moz:locale}
> browser.safebrowsing.provider.0.reportURL;http://safebrowsing.clients.google.
> com/safebrowsing/report?
> browser.safebrowsing.provider.0.updateURL;http://safebrowsing.clients.google.
> com/safebrowsing/downloads?client={moz:client}&appver={moz:version}&pver=2.2
> browser.safebrowsing.warning.infoURL;http://www.mozilla.com/%LOCALE%/firefox/
> phishing-protection/
>
> On 'app.update.url.manual;http://www.firefox.com' suffix a slash at the end
> to make it FQDN.

Bug 783047.

> extensions.input.brokenURL;http://input.mozilla.com/feedback#broken
> extensions.input.happyURL;http://input.mozilla.com/happy
> extensions.input.ideaURL;http://input.mozilla.com/feedback#idea
> extensions.input.sadURL;http://input.mozilla.com/sad

Bug 840678.

> browser.contentHandlers.types.0.uri;http://fusion.google.com/add?feedurl=%s

Bug 840710.

> browser.contentHandlers.types.1.uri;http://add.my.yahoo.com/rss?url=%s
> gecko.handlerService.schemes.mailto.0.uriTemplate;http://compose.mail.yahoo.
> com/?To=%s

Bug 840705.

> gecko.handlerService.schemes.webcal.0.uriTemplate;http://30boxes.com/
> external/widget?refer=ff&url=%s

Bug 840699.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: 13 Branch → Trunk
Depends on: 847788
Depends on: 847784
Depends on: 847786
Depends on: 847789
Depends on: 847811
Depends on: 847812
Depends on: 847814
Depends on: 847816
Depends on: 848263
Depends on: 995867
Thunderbird is also affected.
Many of these have now been fixed.

A few remains.

browser.safebrowsing.reportErrorURL;http://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportGenericURL;http://%LOCALE%.phish-generic.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportMalwareErrorURL;http://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportMalwareURL;http://%LOCALE%.malware-report.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportPhishURL;http://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%

devtools.gcli.jquerySrc;http://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js
devtools.gcli.lodashSrc;http://cdnjs.cloudflare.com/ajax/libs/lodash.js/2.4.1/lodash.min.js
devtools.gcli.underscoreSrc;http://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.6.0/underscore-min.js
loop.CSP;default-src 'self' about: file: chrome:; img-src 'self' data: http://www.gravatar.com/ about: file: chrome:; font-src 'none'; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net

gravatar over http instead of https. The site can be reached over https.
Depends on: 1086556
Blocks: 1086560
No longer blocks: 1086560
Depends on: 1086560
Depends on: 1138323
Depends on: 1109475
9 left.

browser.safebrowsing.reportErrorURL;http://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportGenericURL;http://%LOCALE%.phish-generic.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportMalwareErrorURL;http://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportMalwareURL;http://%LOCALE%.malware-report.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportPhishURL;http://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%
extensions.input.brokenURL;http://input.mozilla.com/feedback#broken
extensions.input.happyURL;http://input.mozilla.com/happy
extensions.input.ideaURL;http://input.mozilla.com/feedback#idea
extensions.input.sadURL;http://input.mozilla.com/sad
input.mozilla.com supports HTTPS and in fact connecting over HTTP redirects to HTTPS.
So the URLs in the browser should be over HTTPS.
(In reply to Eldmannen from comment #6)
> 9 left.
> 
> browser.safebrowsing.*

These are fixed by bug 1109475.

> extensions.input.brokenURL;http://input.mozilla.com/feedback#broken
> extensions.input.happyURL;http://input.mozilla.com/happy
> extensions.input.ideaURL;http://input.mozilla.com/feedback#idea
> extensions.input.sadURL;http://input.mozilla.com/sad

These are not in mozilla-central, and I'm not sure where the relevant code lives... Greg, is this Heartbeat stuff?
Flags: needinfo?(glind)
(In reply to Justin Dolske [:Dolske] from comment #8)
> (In reply to Eldmannen from comment #6)
> > 9 left.
> > 
> > browser.safebrowsing.*
> 
> These are fixed by bug 1109475.
> 
> > extensions.input.brokenURL;http://input.mozilla.com/feedback#broken
> > extensions.input.happyURL;http://input.mozilla.com/happy
> > extensions.input.ideaURL;http://input.mozilla.com/feedback#idea
> > extensions.input.sadURL;http://input.mozilla.com/sad
> 
> These are not in mozilla-central, and I'm not sure where the relevant code
> lives... Greg, is this Heartbeat stuff?

These are not heartbeat urls. These are feedback urls for the old Input and I'm pretty sure they were fixed ages ago. You can see the instances of "input.mozilla.org" (the correct domain) and "input.mozilla.com" (the old domain) here:

https://dxr.mozilla.org/mozilla-central/search?q=input.mozilla&redirect=true
Flags: needinfo?(glind)
All URLs seem to be converted now, with the sole exception of captivedetect.canonicalURL, which by definition cannot use https. Closing.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME

It is a difficult to reproduce this nowadays since about:config have regressed in functionality and no longer searches the value, only the key.

You need to log in before you can comment on or make changes to this bug.