HTTPS-only mode is ignored when reopening closed tab
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | unaffected |
| firefox116 | --- | unaffected |
| firefox117 | --- | fix-optional |
| firefox118 | --- | affected |
| firefox119 | --- | affected |
People
(Reporter: 6k64x4ma, Assigned: mjurgens, NeedInfo)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [domsecurity-active])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Steps to reproduce:
- Set
dom.security.https_only_modeto true. - Go to http://http.badssl.com/ in the new tab. Secure Site Not Available page appears.
- Close the tab (ctrl + w).
- Reopen the tab (ctrl + shift + t).
Actual results:
http.badssl.com is loaded.
Expected results:
Loading HTTP site should be blocked.
Regression window
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=29a59c4a2f6ab17b86054f5d8c0d18893b0da18a&tochange=b242365f7a2f1101b3edf116b24ba5a2bac9bc7b
|
Assignee | |
Comment 1•1 year ago
|
||
I can not reproduce this on my end. I tested the latest Nightly, and mozilla-central builds from 2023-06-10 (before the commits you linked) and 2023-06-12 (after the commits you linked). I will attach a screen recording of my attempt.
Just to confirm, did you click the "Continue to HTTP Site" button? Because if you did, what you describe would be the expected behavior.
|
|
Assignee | |
Comment 2•1 year ago
|
||
I didn't click the button.
On the latest Nightly with a new profile, I followed the exact same steps as you did in the screen recording, but http.badssl.com is loaded.
|
|
Assignee | |
Comment 4•1 year ago
|
||
I can reproduce the problem now. I tested the wrong date because I misread it, it should be 2023-07-12, not 2023-06-12, and it seems I did something wrong when testing it with Nightly originally, my bad.
|
|
Assignee | |
Comment 5•1 year ago
|
||
Thanks a lot for the report. This seems to be the code causing the page to load here.
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 6•1 year ago
|
||
The same issue is also happening with history navigation, so for example:
- Set
dom.security.https_only_modeto true - Open
http://http.badssl.com - In the same tab, open
https://google.com - Press the back button
Result: http://http.badssl.com is loaded via HTTP.
Expected: http://http.badssl.com should be prevented from loading.
|
||
Comment 7•1 year ago
|
||
Set release status flags based on info from the regressing bug 1839612
|
|
Assignee | |
Comment 8•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 9•1 year ago
|
||
Tom, IIUC, Freddy is on PTO at the moment. Do you have cycles to review this given that 117 goes to RC next week?
|
||
Comment 10•1 year ago
|
||
I'm sorry, with Freddy and Christoph out I think we're going to have to wait - I don't feel comfortable reviewing this.
|
|
||
Updated•1 year ago
|
|
|
||
Comment 11•1 year ago
|
||
Not likely to make Fx117 before it goes to RC in that case. We'll keep it on the radar for a dot release at least.
|
|
||
Comment 12•1 year ago
|
||
Set release status flags based on info from the regressing bug 1839612
|
||
Comment 13•1 year ago
|
||
Malte, are you working on this one for a potential uplift or should it ride the trains?
|
|
||
Updated•1 year ago
|
Description
•