Closed
Bug 1234186
Opened 9 years ago
Closed 9 years ago
Unified autocompletion "Visit" feature doesn't use https for https-only websites
Categories
(Firefox :: Address Bar, defect, P1)
Tracking
()
VERIFIED
FIXED
Firefox 46
Tracking | Status | |
---|---|---|
firefox42 | --- | unaffected |
firefox43 | --- | wontfix |
firefox44 | --- | wontfix |
firefox45 | --- | verified |
firefox46 | --- | verified |
People
(Reporter: ws.bugzilla, Assigned: mak)
References
Details
(Keywords: regression, Whiteboard: [fxsearch][unifiedcomplete])
Attachments
(1 file)
(deleted),
text/x-review-board-request
|
adw
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details |
Much of our infrastructure is hosted on https-only sites that simply do not respond over insecure http. The new "Visit" feature in the location bar autocompletion doesn't work in this scenario: it takes you to http, which simply times out.
It is unlikely that we can add an insecure redirect just to accommodate this Firefox autocompletion oddity. The net effect is a degraded experience for Firefox users.
Assignee | ||
Comment 1•9 years ago
|
||
(In reply to Roman from comment #0)
> Much of our infrastructure is hosted on https-only sites that simply do not
> respond over insecure http. The new "Visit" feature in the location bar
> autocompletion doesn't work in this scenario: it takes you to http, which
> simply times out.
it is not a new feature, the previous versions were doing exactly the same, just that there was no entry. You can try, just type the same string and press enter, it will do the same.
> It is unlikely that we can add an insecure redirect just to accommodate this
> Firefox autocompletion oddity.
Autocomplete suggests what the user typed, if the user typed the http version it will suggest http, if he typed the https version it will suggest https. https has priority over http. In your case you likely entered an url containing non secure version of the page and never entered an https url to it, and thus it is just respecting what you did.
This is something that can happen with any autocomplete implementation, with other browsers and with previous versions of firefox, if you want to enforce https you should use HSTS for the good of your users.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
(In reply to Marco Bonardo [::mak] from comment #1)
> it is not a new feature, the previous versions were doing exactly the same,
> just that there was no entry. You can try, just type the same string and
> press enter, it will do the same.
To clarify, I'm talking about the case where the https URL is already in the history. I did in fact test this and it did in fact work on Firefox 42: visit https://somesite.com, then type "some..." and press Enter. You will be taken to the https URL in Firefox 42, but not in Firefox 43.
> Autocomplete suggests what the user typed, if the user typed the http
> version it will suggest http, if he typed the https version it will suggest
> https. https has priority over http. In your case you likely entered an url
> containing non secure version of the page and never entered an https url to
> it, and thus it is just respecting what you did.
That's exactly the thing. It doesn't. It goes to http, even though my history contains https.
I'm going to reopen this on the basis of this misunderstanding.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Comment hidden (obsolete) |
Assignee | ||
Comment 4•9 years ago
|
||
(note that regardless we having a bug or not you should really use HSTS since we can't protect your users from malicious third parties abusing the http part)
Assignee | ||
Comment 5•9 years ago
|
||
I think that I can reproduce something like you are reporting, let me double check.
Assignee: nobody → mak77
(In reply to Marco Bonardo [::mak] from comment #3)
> Doesn't this work?
Nope. Thanks for looking at this Marco. I agree about HSTS; our current setup is far from ideal, I was just reporting what looks like a regression.
Comment hidden (obsolete) |
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(paolo.mozmail)
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(dolske)
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(adw)
Assignee | ||
Comment 8•9 years ago
|
||
Looks like there's also a regression in unified complete that I'm still investigating... so I'll likely have to move all the enhancement discussion elsewhere :(
Flags: needinfo?(past)
Flags: needinfo?(paolo.mozmail)
Flags: needinfo?(dolske)
Flags: needinfo?(adw)
Assignee | ||
Comment 9•9 years ago
|
||
moved the enhancements to bug 1239708. Investigating the regression here.
STR:
1. Open a new profile
2. visit https://amazon.ca/
3. type "amaz" in the locationbar
4. the https version should be visited, instead the http version is visited
Assignee | ||
Comment 10•9 years ago
|
||
The bug is in EnterMatch, we basically don't force anymore the finalCompleteValue for the defaultIndex cause now we have an entry in the popup.
We don't enter anymore the "else if (shouldComplete) {" branch cause "if (selectedIndex >= 0) {" is now true.
in the first branch we fail both "if (!completeSelection || aIsPopupSelection) {" and "else if (mCompletedSelectionIndex != -1)" so nothing is reading the finalCompleteValue from the result.
Assignee | ||
Updated•9 years ago
|
Priority: -- → P1
Assignee | ||
Updated•9 years ago
|
Keywords: regression
Whiteboard: [fxsearch][unifiedcomplete]
Assignee | ||
Comment 11•9 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/31245/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/31245/
Attachment #8709077 -
Flags: review?(adw)
Assignee | ||
Comment 12•9 years ago
|
||
sigh, Try failures, this needs a little bit more work. To check:
toolkit/components/passwordmgr/test/test_basic_form_autocomplete.html
toolkit/components/passwordmgr/test/test_case_differences.html
toolkit/components/satchel/test/test_form_autocomplete.html
toolkit/components/satchel/test/test_popup_enter_event.html
toolkit/components/satchel/test/test_form_autocomplete_with_list.html
toolkit/content/tests/chrome/test_autocomplete_change_after_focus.html
toolkit/components/autocomplete/tests/unit/test_finalCompleteValue.js
Assignee | ||
Comment 13•9 years ago
|
||
[Tracking Requested - why for this release]:
status-firefox42:
--- → unaffected
status-firefox43:
--- → wontfix
status-firefox44:
--- → wontfix
status-firefox45:
--- → affected
status-firefox46:
--- → affected
Assignee | ||
Comment 14•9 years ago
|
||
Comment on attachment 8709077 [details]
MozReview Request: Bug 1234186 - Unified autocompletion Visit feature doesn't use https for https-only websites. r=adw
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/31245/diff/1-2/
Assignee | ||
Comment 15•9 years ago
|
||
I'm triggering a new try run on mozreview.
Assignee | ||
Comment 16•9 years ago
|
||
ok, looks like this passes all the tests.
Comment 17•9 years ago
|
||
Comment on attachment 8709077 [details]
MozReview Request: Bug 1234186 - Unified autocompletion Visit feature doesn't use https for https-only websites. r=adw
https://reviewboard.mozilla.org/r/31245/#review28337
Attachment #8709077 -
Flags: review?(adw) → review+
Assignee | ||
Comment 19•9 years ago
|
||
Comment on attachment 8709077 [details]
MozReview Request: Bug 1234186 - Unified autocompletion Visit feature doesn't use https for https-only websites. r=adw
Approval Request Comment
[Feature/regressing bug #]: Unified Complete
[User impact if declined]: Instead of suggesting the secure version of a website, autofill ends up suggesting the unsecure one.
[Describe test coverage new/current, TreeHerder]: unit-test
[Risks and why]: Risk should be limited by the fact the change is tiny and has decent test coverage
[String/UUID change made/needed]: none
Attachment #8709077 -
Flags: approval-mozilla-aurora?
Comment 20•9 years ago
|
||
bugherder |
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 46
Comment 21•9 years ago
|
||
Comment on attachment 8709077 [details]
MozReview Request: Bug 1234186 - Unified autocompletion Visit feature doesn't use https for https-only websites. r=adw
Fix a regression, has tests, taking it.
Attachment #8709077 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 22•9 years ago
|
||
bugherder uplift |
Updated•9 years ago
|
Flags: qe-verify+
Comment 23•9 years ago
|
||
Verified as fixed using "https://example.com" and "https://amazon.ca/" on Firefox 45 beta 6 and latest Aurora 46.0a2 2016-02-17 under Win 7 64-bit, Ubuntu 14.04 64-bit and Mac OS X 10.9.5.
You need to log in
before you can comment on or make changes to this bug.
Description
•