Closed Bug 1631384 Opened 4 years ago Closed 4 years ago

HTTPS Only Mode - Exceptions for loopback and local IP addresses

Categories

(Core :: DOM: Security, enhancement, P2)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla77
Tracking Flags:
Tracking Status
firefox77 --- fixed

People

(Reporter: julianwels, Assigned: julianwels)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1631384 - Added upgrade exceptions for HTTPS Only Mode. r=ckerschb
47 bytes, text/x-phabricator-request
Details | Review

Currently, the HTTPS-Only mode upgrades requests to 127.0.0.1, ::1 and local IP-addresses.

Requests within a local network usually can be trusted and also get annoying for local web development, so it's appropriate to add an exception for them.

(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #1)

In Servo I added exceptions for localhost and onion: https://github.com/servo/servo/blob/904fcb4317ffd0f1ed6d0400cdb768fedacfda3d/components/net/hsts.rs#L150-L172

Great suggestion. I think Tor Browser may be interested in using this mode by default at some point in the future, so having an onion exception will be very helpful.

Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a37a427fac07
Added upgrade exceptions for HTTPS Only Mode. r=ckerschb,necko-reviewers,valentin
Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7b5f7ee72a6c
Added upgrade exceptions for HTTPS Only Mode. r=ckerschb,necko-reviewers,valentin

exempt is misspelled "excempt" in 2 files, 5 times

Backout by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/87a0521b742f
Backed out changeset 7b5f7ee72a6c for failing bc at browser_upgrade_exceptions.js on a CLOSED TREE

(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #1)

In Servo I added exceptions for localhost and onion: https://github.com/servo/servo/blob/904fcb4317ffd0f1ed6d0400cdb768fedacfda3d/components/net/hsts.rs#L150-L172

It's cool that this feature is already in Servo, thank you for sharing this!

(In reply to Matthew Elvey from comment #7)

exempt is misspelled "excempt" in 2 files, 5 times

Oh no. Thanks for telling me!

Flags: needinfo?(julianwels)
Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8e7b6ae8e18d
Added upgrade exceptions for HTTPS Only Mode. r=ckerschb,necko-reviewers,valentin

Backed out changeset 8e7b6ae8e18d (bug 1631384) for browser_upgrade_exceptions.js failure

Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&selectedTaskRun=Q2HqJQ2eQm6nDIdATNBPUw-0&fromchange=c4046fb0495918f54c2ca77b867a7755c432e22a&tochange=60a6cc5c9aed16212e8d2978815e4624748e7b37&test_paths=dom%2Fsecurity%2Ftest%2Fhttps-only%2F

Backout link: https://hg.mozilla.org/integration/autoland/rev/60a6cc5c9aed16212e8d2978815e4624748e7b37

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299959621&repo=autoland&lineNumber=1773

[task 2020-04-29T10:11:27.513Z] 10:11:27     INFO - TEST-START | dom/security/test/https-only/browser_upgrade_exceptions.js
[task 2020-04-29T10:11:27.514Z] 10:11:27     INFO - GECKO(1234) | Chrome file doesn't exist: /builds/worker/workspace/build/tests/mochitest/browser/dom/security/test/https-only/head.js
[task 2020-04-29T10:11:27.530Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.530Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.531Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.532Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.532Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.533Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.534Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.534Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.535Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.577Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.578Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.578Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.578Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.580Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.581Z] 10:11:27     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.677Z] 10:11:27     INFO - GECKO(1234) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpjBcLhH.mozrunner/runtests_leaks_tab_pid1635.log
[task 2020-04-29T10:11:27.678Z] 10:11:27     INFO - GECKO(1234) | [1635, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp, line 224
[task 2020-04-29T10:11:27.781Z] 10:11:27     INFO - TEST-INFO | started process screentopng
[task 2020-04-29T10:11:28.428Z] 10:11:28     INFO - TEST-INFO | screentopng: exit 0
[task 2020-04-29T10:11:28.429Z] 10:11:28     INFO - Buffered messages logged at 10:11:27
[task 2020-04-29T10:11:28.430Z] 10:11:28     INFO - Entering test bound 
[task 2020-04-29T10:11:28.430Z] 10:11:28     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Loopback IP addresses should always be exempt from upgrades (127.0.0.1) - 
[task 2020-04-29T10:11:28.431Z] 10:11:28     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Loopback IP addresses should always be exempt from upgrades (127.0.0.1) - 
[task 2020-04-29T10:11:28.432Z] 10:11:28     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Local IP addresses should be exempt from upgrades by default - 
[task 2020-04-29T10:11:28.432Z] 10:11:28     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Hosts ending with .onion should be be exempt from HTTPS-Only upgrades by default - 
[task 2020-04-29T10:11:28.433Z] 10:11:28     INFO - Console message: [JavaScript Warning: "HTTPS-Only Mode: Upgrading insecure request “http://10.0.250.250/” to use “https”." {file: "http://10.0.250.250/" line: 0}]
[task 2020-04-29T10:11:28.434Z] 10:11:28     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Local IP addresses should get upgraded when 'dom.security.https_only_mode.upgrade_local' is set to true - 
[task 2020-04-29T10:11:28.435Z] 10:11:28     INFO - Buffered messages finished
[task 2020-04-29T10:11:28.436Z] 10:11:28     INFO - TEST-UNEXPECTED-FAIL | dom/security/test/https-only/browser_upgrade_exceptions.js | Hosts ending with .onion should get upgraded when 'dom.security.https_only_mode.upgrade_onion' is set to true - 
[task 2020-04-29T10:11:28.436Z] 10:11:28     INFO - Stack trace:
[task 2020-04-29T10:11:28.437Z] 10:11:28     INFO - chrome://mochikit/content/browser-test.js:test_ok:1269
[task 2020-04-29T10:11:28.437Z] 10:11:28     INFO - chrome://mochitests/content/browser/dom/security/test/https-only/browser_upgrade_exceptions.js:runTest:87
[task 2020-04-29T10:11:28.438Z] 10:11:28     INFO - chrome://mochitests/content/browser/dom/security/test/https-only/browser_upgrade_exceptions.js:null:49
[task 2020-04-29T10:11:28.438Z] 10:11:28     INFO - chrome://mochikit/content/browser-test.js:Tester_execTest/<:1039
[task 2020-04-29T10:11:28.438Z] 10:11:28     INFO - chrome://mochikit/content/browser-test.js:Tester_execTest:1074
[task 2020-04-29T10:11:28.438Z] 10:11:28     INFO - chrome://mochikit/content/browser-test.js:nextTest/<:898
task 2020-04-29T10:11:28.438Z] 10:11:28     INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:SimpleTest.waitForFocus/waitForFocusInner/focusedOrLoaded/<:918
[task 2020-04-29T10:11:28.441Z] 10:11:28     INFO - Console message: [JavaScript Error: "HTTPS-Only Mode: Upgrading insecure request “https://10.0.250.250/” failed. (M6-C2)" {file: "https://10.0.250.250/" line: 0}]
[task 2020-04-29T10:11:28.441Z] 10:11:28     INFO - Console message: [JavaScript Warning: "HTTPS-Only Mode: Upgrading insecure request “http://grocery.shopping.for.one.onion/” to use “https”." {file: "http://grocery.shopping.for.one.onion/" line: 0}]
[task 2020-04-29T10:11:28.442Z] 10:11:28     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.443Z] 10:11:28     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.443Z] 10:11:28     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.444Z] 10:11:28     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.444Z] 10:11:28     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.445Z] 10:11:28     INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.445Z] 10:11:28     INFO - Console message: [JavaScript Error: "HTTPS-Only Mode: Not upgrading insecure request “http://10.0.250.250/” because it is exempt." {file: "http://10.0.250.250/" line: 0}]
[task 2020-04-29T10:11:28.448Z] 10:11:28     INFO - Console message: [JavaScript Error: "HTTPS-Only Mode: Upgrading insecure request “http://grocery.shopping.for.one.onion/” failed. (M6-C2)" {file: "http://grocery.shopping.for.one.onion/" line: 0}]
[task 2020-04-29T10:11:28.449Z] 10:11:28     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | The HTTPS_ONLY_EXEMPT flag should overrule upgrade-prefs - 
[task 2020-04-29T10:11:28.449Z] 10:11:28     INFO - Leaving test bound 
[task 2020-04-29T10:11:28.449Z] 10:11:28     INFO - GECKO(1234) | [Child 1613, Main Thread] WARNING: could not set real-time limit at process startup: file /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp, line 1666
[task 2020-04-29T10:11:28.450Z] 10:11:28     INFO - GECKO(1234) | [Child 1613: Main Thread]: I/DocShellAndDOMWindowLeak ++DOCSHELL 0x7fd2922d3800 == 1 [pid = 1613] [id = {71c09aff-9460-43d3-a867-f6b6d74f6fd7}]
[task 2020-04-29T10:11:28.450Z] 10:11:28     INFO - GECKO(1234) | MEMORY STAT | vsize 2874MB | residentFast 363MB | heapAllocated 137MB
[task 2020-04-29T10:11:28.451Z] 10:11:28     INFO - TEST-OK | dom/security/test/https-only/browser_upgrade_exceptions.js | took 412ms
Flags: needinfo?(julianwels)

Also seeing this failure on the backed out changes: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299962502&repo=autoland&lineNumber=5346

[task 2020-04-29T10:36:28.152Z] 10:36:28     INFO - TEST-START | dom/security/test/https-only/browser_upgrade_exceptions.js
[task 2020-04-29T10:36:28.315Z] 10:36:28     INFO - TEST-INFO | started process screentopng
[task 2020-04-29T10:36:28.977Z] 10:36:28     INFO - TEST-INFO | screentopng: exit 0
[task 2020-04-29T10:36:28.977Z] 10:36:28     INFO - Buffered messages logged at 10:36:28
[task 2020-04-29T10:36:28.977Z] 10:36:28     INFO - Entering test bound 
[task 2020-04-29T10:36:28.980Z] 10:36:28     INFO - Console message: [JavaScript Warning: "Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content." {file: "chrome://browser/content/aboutNetError.js" line: 474}]
[task 2020-04-29T10:36:28.981Z] 10:36:28     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Loopback IP addresses should always be exempt from upgrades (127.0.0.1) - 
[task 2020-04-29T10:36:28.982Z] 10:36:28     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Loopback IP addresses should always be exempt from upgrades (127.0.0.1) - 
[task 2020-04-29T10:36:28.983Z] 10:36:28     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Local IP addresses should be exempt from upgrades by default - 
[task 2020-04-29T10:36:28.984Z] 10:36:28     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Hosts ending with .onion should be be exempt from HTTPS-Only upgrades by default - 
[task 2020-04-29T10:36:28.984Z] 10:36:28     INFO - Console message: [JavaScript Warning: "HTTPS-Only Mode: Upgrading insecure request “http://10.0.250.250/” to use “https”." {file: "http://10.0.250.250/" line: 0}]
[task 2020-04-29T10:36:28.986Z] 10:36:28     INFO - Buffered messages finished
[task 2020-04-29T10:36:28.988Z] 10:36:28     INFO - TEST-UNEXPECTED-FAIL | dom/security/test/https-only/browser_upgrade_exceptions.js | Local IP addresses should get upgraded when 'dom.security.https_only_mode.upgrade_local' is set to true - 
[task 2020-04-29T10:36:28.989Z] 10:36:28     INFO - Stack trace:
[task 2020-04-29T10:36:28.990Z] 10:36:28     INFO - chrome://mochikit/content/browser-test.js:test_ok:1269
[task 2020-04-29T10:36:28.991Z] 10:36:28     INFO - chrome://mochitests/content/browser/dom/security/test/https-only/browser_upgrade_exceptions.js:runTest:87
[task 2020-04-29T10:36:28.992Z] 10:36:28     INFO - chrome://mochitests/content/browser/dom/security/test/https-only/browser_upgrade_exceptions.js:null:44
[task 2020-04-29T10:36:28.992Z] 10:36:28     INFO - chrome://mochikit/content/browser-test.js:Tester_execTest/<:1039
[task 2020-04-29T10:36:28.993Z] 10:36:28     INFO - chrome://mochikit/content/browser-test.js:Tester_execTest:1074
[task 2020-04-29T10:36:28.994Z] 10:36:28     INFO - chrome://mochikit/content/browser-test.js:nextTest/<:904
[task 2020-04-29T10:36:28.995Z] 10:36:28     INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:SimpleTest.waitForFocus/waitForFocusInner/focusedOrLoaded/<:918
[task 2020-04-29T10:36:28.995Z] 10:36:28     INFO - Console message: [JavaScript Warning: "HTTPS-Only Mode: Upgrading insecure request “http://grocery.shopping.for.one.onion/” to use “https”." {file: "http://grocery.shopping.for.one.onion/" line: 0}]
[task 2020-04-29T10:36:28.996Z] 10:36:28     INFO - Console message: [JavaScript Error: "HTTPS-Only Mode: Upgrading insecure request “http://10.0.250.250/” failed. (M6-C2)" {file: "http://10.0.250.250/" line: 0}]
[task 2020-04-29T10:36:29.005Z] 10:36:29     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Hosts ending with .onion should get upgraded when 'dom.security.https_only_mode.upgrade_onion' is set to true - 
[task 2020-04-29T10:36:29.006Z] 10:36:29     INFO - Console message: [JavaScript Error: "HTTPS-Only Mode: Not upgrading insecure request “http://10.0.250.250/” because it is exempt." {file: "http://10.0.250.250/" line: 0}]
[task 2020-04-29T10:36:29.007Z] 10:36:29     INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | The HTTPS_ONLY_EXEMPT flag should overrule upgrade-prefs - 
[task 2020-04-29T10:36:29.007Z] 10:36:29     INFO - Leaving test bound 
[task 2020-04-29T10:36:29.008Z] 10:36:29     INFO - GECKO(9659) | MEMORY STAT | vsize 2812MB | residentFast 318MB | heapAllocated 130MB
[task 2020-04-29T10:36:29.009Z] 10:36:29     INFO - TEST-OK | dom/security/test/https-only/browser_upgrade_exceptions.js | took 246ms

Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8bd794936e27
Added upgrade exceptions for HTTPS Only Mode. r=ckerschb,necko-reviewers,valentin

If this test is an intermittent monster as well I'll just drop the test and create a follow-up bug

Flags: needinfo?(julianwels)

https://hg.mozilla.org/mozilla-central/rev/8bd794936e27

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox77: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
See Also: → 1850773
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: