Introduce a browser.urlbar.default-to-https pref
Categories
(Firefox :: Address Bar, task, P3)
Tracking
()
People
(Reporter: robwu, Unassigned)
Details
(Keywords: parity-chrome, sec-want)
There is current active work to experiment with a https only mode (bug 1613063), which works by upgrading insecure requests where possible (bug 1620242).
These changes operate at a low layer and aren't visible to the UI, however: When I type example.com
, autocomplete still suggests http://example.com/
, and the urlbar clearly shows the attempt to load http://example.com
when I press Enter (set browser.urlbar.trimURLs
=false
via about:config
to see the scheme). The navigation will eventually end up at https, but this is not obvious to the user.
I'd like to have a preference to default to https instead of http. Whether the load is going to succeed or not is not a concern; that can be handled as part of bug 1613063.
For the past five years I have used this behavior with patches for Chromium and extensions for Firefox and from a usability perspective this wasn't too bad. The usability actually went down when I had to hook up at the request level (and thus not know whether the user specified a scheme or not) instead of the UI level when support for legacy add-ons were dropped in Firefox 57.
Updated•5 years ago
|
Comment 1•5 years ago
|
||
(In reply to Rob Wu [:robwu] from comment #0)
I'd like to have a preference to default to https instead of http. Whether the load is going to succeed or not is not a concern; that can be handled as part of bug 1613063.
Do you mean a user-facing preference or just a way to tell the urlbar to default to https from another part of Firefox?
Comment 2•5 years ago
|
||
https://searchfox.org/mozilla-central/rev/9120151ddb35f2d4c37bfe613a54a4f10a9a3dc5/docshell/base/URIFixup.jsm#698 should be set to "https" if a new pref called browser.urlbar.default-to-https was manually set to true on about:config.
The default-to-https behavior could be tested by typing neverssl.com into the address bar: Then, the first suggestion is "https://neverssl.com -- Visit". If you press enter, https://neverssl.com is opened. If you want http, then you have to type http://neverssl.com. Mozilla Servo has this behavior already.
Comment 3•5 years ago
|
||
This would be the first of two steps.
As browser.urlbar.trimURLs is true, you would type in http://neverssl.com, but "neverssl.com" is shown after pressing enter. If you then edit the path and press enter, you would try to open "neverssl.com/path", hence it would be https://neverssl.com/path. That's a temporary unsoundness, but also self-bullying into https.
("hstspreload.org" would open https://hstspreload.org/ and editing the path does not change the protocol.)
This unsoundness would be fixed by bug 1067293: The protocol of http://neverssl.com/ would not be hidden by browser.urlbar.trimURLs if browser.urlbar.default-to-https is true. You could edit http://neverssl.com/ to http://neverssl.com/path or hstspreload.org to hstspreload.org/path.
bug 1067293 should also imply security.insecure_connection_text.enabled if browser.urlbar.default-to-https is true. (Highlight danger instead of security. That's why the EV bar was removed. The padlock is enough for https.)
Comment 4•5 years ago
|
||
P3 for now, it sounds like a good starting point for a soft release, there's many code points and tests to adapt before it could be flipped for everyone.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Comment 5•1 years ago
|
||
Hi there Frederick, do you think this preference is necessary or if it'll be handled by the work you're doing?
Comment 6•1 years ago
|
||
I think this one can be duplicated against bug 1812192
Comment 7•1 years ago
|
||
Makes sense as in the WIP patch, it looks like you're creating dom.security.https_first_schemeless
.
Description
•