HTTPS-First test for bad certifactes
Categories
(Core :: DOM: Security, task, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox92 | --- | fixed |
People
(Reporter: t.yavor, Assigned: t.yavor)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
Details |
When https-first opens a site with bad certificate, we might want to skip to show a warning page.
Instead https-first could downgrade the request to http
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 1•3 years ago
|
||
Currently https-first acts like that:
- Assume we have a website
example.comthat supports bothhttpandhttps. - If the initial request is
http://example.comhttps-first is upgrading it, receiving an error and downgrades to http - If the initial request is
https://example.com: Since it is an https request which wasn't upgraded by https-first, https-first doesn't downgrade it - Warning page gets displayed.
Probably we would need https-first to interfer https requests, to skip every warning page. But if https-first is interfering, it would have max. two options. One is to accept the bad cert, so we don't have actually an https connection but at top level it would still look like one (? not sure if it is still kind of an https connection... ).
The other option would be to downgrade to http but probably in most cases the http site redirects to the https site, at least that would be reasonable for a website that thinks it supports https.
|
|
Assignee | |
Comment 2•3 years ago
|
||
So a simple downgrade won't work, in most cases.
|
|
Assignee | |
Updated•3 years ago
|
|
|
||
Comment 3•3 years ago
|
||
Downgrading to http when encountering a bad certificate error seems correct to us.
|
|
Assignee | |
Comment 4•3 years ago
|
||
|
||
Comment 6•3 years ago
|
||
| bugherder | ||
Description
•