HTTPS Only Mode - Exceptions for loopback and local IP addresses
Categories
(Core :: DOM: Security, enhancement, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox77 | --- | fixed |
People
(Reporter: julianwels, Assigned: julianwels)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
Currently, the HTTPS-Only mode upgrades requests to 127.0.0.1
, ::1
and local IP-addresses.
Requests within a local network usually can be trusted and also get annoying for local web development, so it's appropriate to add an exception for them.
Comment 1•4 years ago
|
||
In Servo I added exceptions for localhost and onion: https://github.com/servo/servo/blob/904fcb4317ffd0f1ed6d0400cdb768fedacfda3d/components/net/hsts.rs#L150-L172
Comment 2•4 years ago
|
||
(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #1)
In Servo I added exceptions for localhost and onion: https://github.com/servo/servo/blob/904fcb4317ffd0f1ed6d0400cdb768fedacfda3d/components/net/hsts.rs#L150-L172
Great suggestion. I think Tor Browser may be interested in using this mode by default at some point in the future, so having an onion exception will be very helpful.
Assignee | ||
Comment 3•4 years ago
|
||
Pushed by dluca@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a37a427fac07 Added upgrade exceptions for HTTPS Only Mode. r=ckerschb,necko-reviewers,valentin
Comment 5•4 years ago
•
|
||
Backed out changeset a37a427fac07 for causing wpt crashes in websocket.https.html
Backout link: https://hg.mozilla.org/integration/autoland/rev/3d4c4017506c030f023c0d74d482a99d9cae5b28
Failure logs:
- https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299576223&repo=autoland&lineNumber=3983
- https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299576536&repo=autoland&lineNumber=2626
Update:
bc failures: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299580670&repo=autoland&lineNumber=23578
dt failures: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299586536&repo=autoland&lineNumber=2945
Pushed by apavel@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7b5f7ee72a6c Added upgrade exceptions for HTTPS Only Mode. r=ckerschb,necko-reviewers,valentin
Comment 7•4 years ago
•
|
||
exempt is misspelled "excempt" in 2 files, 5 times
Comment 8•4 years ago
|
||
Backed out for failing bc at browser_upgrade_exceptions.js
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299671626&repo=autoland&lineNumber=1685
Tier1 failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299671887&repo=autoland&lineNumber=4976
Backout: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299671887&repo=autoland&lineNumber=4976
Backout by apavel@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/87a0521b742f Backed out changeset 7b5f7ee72a6c for failing bc at browser_upgrade_exceptions.js on a CLOSED TREE
Assignee | ||
Comment 10•4 years ago
|
||
(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #1)
In Servo I added exceptions for localhost and onion: https://github.com/servo/servo/blob/904fcb4317ffd0f1ed6d0400cdb768fedacfda3d/components/net/hsts.rs#L150-L172
It's cool that this feature is already in Servo, thank you for sharing this!
(In reply to Matthew Elvey from comment #7)
exempt is misspelled "excempt" in 2 files, 5 times
Oh no. Thanks for telling me!
Comment 11•4 years ago
|
||
Pushed by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8e7b6ae8e18d Added upgrade exceptions for HTTPS Only Mode. r=ckerschb,necko-reviewers,valentin
Comment 12•4 years ago
|
||
Backed out changeset 8e7b6ae8e18d (bug 1631384) for browser_upgrade_exceptions.js failure
Backout link: https://hg.mozilla.org/integration/autoland/rev/60a6cc5c9aed16212e8d2978815e4624748e7b37
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299959621&repo=autoland&lineNumber=1773
[task 2020-04-29T10:11:27.513Z] 10:11:27 INFO - TEST-START | dom/security/test/https-only/browser_upgrade_exceptions.js
[task 2020-04-29T10:11:27.514Z] 10:11:27 INFO - GECKO(1234) | Chrome file doesn't exist: /builds/worker/workspace/build/tests/mochitest/browser/dom/security/test/https-only/head.js
[task 2020-04-29T10:11:27.530Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.530Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.531Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.532Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.532Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.533Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.534Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.534Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.535Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.577Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.578Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.578Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.578Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.580Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.581Z] 10:11:27 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:27.677Z] 10:11:27 INFO - GECKO(1234) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpjBcLhH.mozrunner/runtests_leaks_tab_pid1635.log
[task 2020-04-29T10:11:27.678Z] 10:11:27 INFO - GECKO(1234) | [1635, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp, line 224
[task 2020-04-29T10:11:27.781Z] 10:11:27 INFO - TEST-INFO | started process screentopng
[task 2020-04-29T10:11:28.428Z] 10:11:28 INFO - TEST-INFO | screentopng: exit 0
[task 2020-04-29T10:11:28.429Z] 10:11:28 INFO - Buffered messages logged at 10:11:27
[task 2020-04-29T10:11:28.430Z] 10:11:28 INFO - Entering test bound
[task 2020-04-29T10:11:28.430Z] 10:11:28 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Loopback IP addresses should always be exempt from upgrades (127.0.0.1) -
[task 2020-04-29T10:11:28.431Z] 10:11:28 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Loopback IP addresses should always be exempt from upgrades (127.0.0.1) -
[task 2020-04-29T10:11:28.432Z] 10:11:28 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Local IP addresses should be exempt from upgrades by default -
[task 2020-04-29T10:11:28.432Z] 10:11:28 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Hosts ending with .onion should be be exempt from HTTPS-Only upgrades by default -
[task 2020-04-29T10:11:28.433Z] 10:11:28 INFO - Console message: [JavaScript Warning: "HTTPS-Only Mode: Upgrading insecure request “http://10.0.250.250/” to use “https”." {file: "http://10.0.250.250/" line: 0}]
[task 2020-04-29T10:11:28.434Z] 10:11:28 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Local IP addresses should get upgraded when 'dom.security.https_only_mode.upgrade_local' is set to true -
[task 2020-04-29T10:11:28.435Z] 10:11:28 INFO - Buffered messages finished
[task 2020-04-29T10:11:28.436Z] 10:11:28 INFO - TEST-UNEXPECTED-FAIL | dom/security/test/https-only/browser_upgrade_exceptions.js | Hosts ending with .onion should get upgraded when 'dom.security.https_only_mode.upgrade_onion' is set to true -
[task 2020-04-29T10:11:28.436Z] 10:11:28 INFO - Stack trace:
[task 2020-04-29T10:11:28.437Z] 10:11:28 INFO - chrome://mochikit/content/browser-test.js:test_ok:1269
[task 2020-04-29T10:11:28.437Z] 10:11:28 INFO - chrome://mochitests/content/browser/dom/security/test/https-only/browser_upgrade_exceptions.js:runTest:87
[task 2020-04-29T10:11:28.438Z] 10:11:28 INFO - chrome://mochitests/content/browser/dom/security/test/https-only/browser_upgrade_exceptions.js:null:49
[task 2020-04-29T10:11:28.438Z] 10:11:28 INFO - chrome://mochikit/content/browser-test.js:Tester_execTest/<:1039
[task 2020-04-29T10:11:28.438Z] 10:11:28 INFO - chrome://mochikit/content/browser-test.js:Tester_execTest:1074
[task 2020-04-29T10:11:28.438Z] 10:11:28 INFO - chrome://mochikit/content/browser-test.js:nextTest/<:898
task 2020-04-29T10:11:28.438Z] 10:11:28 INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:SimpleTest.waitForFocus/waitForFocusInner/focusedOrLoaded/<:918
[task 2020-04-29T10:11:28.441Z] 10:11:28 INFO - Console message: [JavaScript Error: "HTTPS-Only Mode: Upgrading insecure request “https://10.0.250.250/” failed. (M6-C2)" {file: "https://10.0.250.250/" line: 0}]
[task 2020-04-29T10:11:28.441Z] 10:11:28 INFO - Console message: [JavaScript Warning: "HTTPS-Only Mode: Upgrading insecure request “http://grocery.shopping.for.one.onion/” to use “https”." {file: "http://grocery.shopping.for.one.onion/" line: 0}]
[task 2020-04-29T10:11:28.442Z] 10:11:28 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.443Z] 10:11:28 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.443Z] 10:11:28 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.444Z] 10:11:28 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.444Z] 10:11:28 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.445Z] 10:11:28 INFO - GECKO(1234) | [Parent 1234, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/cookie/CookieJarSettings.cpp, line 197
[task 2020-04-29T10:11:28.445Z] 10:11:28 INFO - Console message: [JavaScript Error: "HTTPS-Only Mode: Not upgrading insecure request “http://10.0.250.250/” because it is exempt." {file: "http://10.0.250.250/" line: 0}]
[task 2020-04-29T10:11:28.448Z] 10:11:28 INFO - Console message: [JavaScript Error: "HTTPS-Only Mode: Upgrading insecure request “http://grocery.shopping.for.one.onion/” failed. (M6-C2)" {file: "http://grocery.shopping.for.one.onion/" line: 0}]
[task 2020-04-29T10:11:28.449Z] 10:11:28 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | The HTTPS_ONLY_EXEMPT flag should overrule upgrade-prefs -
[task 2020-04-29T10:11:28.449Z] 10:11:28 INFO - Leaving test bound
[task 2020-04-29T10:11:28.449Z] 10:11:28 INFO - GECKO(1234) | [Child 1613, Main Thread] WARNING: could not set real-time limit at process startup: file /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp, line 1666
[task 2020-04-29T10:11:28.450Z] 10:11:28 INFO - GECKO(1234) | [Child 1613: Main Thread]: I/DocShellAndDOMWindowLeak ++DOCSHELL 0x7fd2922d3800 == 1 [pid = 1613] [id = {71c09aff-9460-43d3-a867-f6b6d74f6fd7}]
[task 2020-04-29T10:11:28.450Z] 10:11:28 INFO - GECKO(1234) | MEMORY STAT | vsize 2874MB | residentFast 363MB | heapAllocated 137MB
[task 2020-04-29T10:11:28.451Z] 10:11:28 INFO - TEST-OK | dom/security/test/https-only/browser_upgrade_exceptions.js | took 412ms
Comment 13•4 years ago
|
||
Also seeing this failure on the backed out changes: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299962502&repo=autoland&lineNumber=5346
[task 2020-04-29T10:36:28.152Z] 10:36:28 INFO - TEST-START | dom/security/test/https-only/browser_upgrade_exceptions.js
[task 2020-04-29T10:36:28.315Z] 10:36:28 INFO - TEST-INFO | started process screentopng
[task 2020-04-29T10:36:28.977Z] 10:36:28 INFO - TEST-INFO | screentopng: exit 0
[task 2020-04-29T10:36:28.977Z] 10:36:28 INFO - Buffered messages logged at 10:36:28
[task 2020-04-29T10:36:28.977Z] 10:36:28 INFO - Entering test bound
[task 2020-04-29T10:36:28.980Z] 10:36:28 INFO - Console message: [JavaScript Warning: "Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content." {file: "chrome://browser/content/aboutNetError.js" line: 474}]
[task 2020-04-29T10:36:28.981Z] 10:36:28 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Loopback IP addresses should always be exempt from upgrades (127.0.0.1) -
[task 2020-04-29T10:36:28.982Z] 10:36:28 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Loopback IP addresses should always be exempt from upgrades (127.0.0.1) -
[task 2020-04-29T10:36:28.983Z] 10:36:28 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Local IP addresses should be exempt from upgrades by default -
[task 2020-04-29T10:36:28.984Z] 10:36:28 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Hosts ending with .onion should be be exempt from HTTPS-Only upgrades by default -
[task 2020-04-29T10:36:28.984Z] 10:36:28 INFO - Console message: [JavaScript Warning: "HTTPS-Only Mode: Upgrading insecure request “http://10.0.250.250/” to use “https”." {file: "http://10.0.250.250/" line: 0}]
[task 2020-04-29T10:36:28.986Z] 10:36:28 INFO - Buffered messages finished
[task 2020-04-29T10:36:28.988Z] 10:36:28 INFO - TEST-UNEXPECTED-FAIL | dom/security/test/https-only/browser_upgrade_exceptions.js | Local IP addresses should get upgraded when 'dom.security.https_only_mode.upgrade_local' is set to true -
[task 2020-04-29T10:36:28.989Z] 10:36:28 INFO - Stack trace:
[task 2020-04-29T10:36:28.990Z] 10:36:28 INFO - chrome://mochikit/content/browser-test.js:test_ok:1269
[task 2020-04-29T10:36:28.991Z] 10:36:28 INFO - chrome://mochitests/content/browser/dom/security/test/https-only/browser_upgrade_exceptions.js:runTest:87
[task 2020-04-29T10:36:28.992Z] 10:36:28 INFO - chrome://mochitests/content/browser/dom/security/test/https-only/browser_upgrade_exceptions.js:null:44
[task 2020-04-29T10:36:28.992Z] 10:36:28 INFO - chrome://mochikit/content/browser-test.js:Tester_execTest/<:1039
[task 2020-04-29T10:36:28.993Z] 10:36:28 INFO - chrome://mochikit/content/browser-test.js:Tester_execTest:1074
[task 2020-04-29T10:36:28.994Z] 10:36:28 INFO - chrome://mochikit/content/browser-test.js:nextTest/<:904
[task 2020-04-29T10:36:28.995Z] 10:36:28 INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:SimpleTest.waitForFocus/waitForFocusInner/focusedOrLoaded/<:918
[task 2020-04-29T10:36:28.995Z] 10:36:28 INFO - Console message: [JavaScript Warning: "HTTPS-Only Mode: Upgrading insecure request “http://grocery.shopping.for.one.onion/” to use “https”." {file: "http://grocery.shopping.for.one.onion/" line: 0}]
[task 2020-04-29T10:36:28.996Z] 10:36:28 INFO - Console message: [JavaScript Error: "HTTPS-Only Mode: Upgrading insecure request “http://10.0.250.250/” failed. (M6-C2)" {file: "http://10.0.250.250/" line: 0}]
[task 2020-04-29T10:36:29.005Z] 10:36:29 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | Hosts ending with .onion should get upgraded when 'dom.security.https_only_mode.upgrade_onion' is set to true -
[task 2020-04-29T10:36:29.006Z] 10:36:29 INFO - Console message: [JavaScript Error: "HTTPS-Only Mode: Not upgrading insecure request “http://10.0.250.250/” because it is exempt." {file: "http://10.0.250.250/" line: 0}]
[task 2020-04-29T10:36:29.007Z] 10:36:29 INFO - TEST-PASS | dom/security/test/https-only/browser_upgrade_exceptions.js | The HTTPS_ONLY_EXEMPT flag should overrule upgrade-prefs -
[task 2020-04-29T10:36:29.007Z] 10:36:29 INFO - Leaving test bound
[task 2020-04-29T10:36:29.008Z] 10:36:29 INFO - GECKO(9659) | MEMORY STAT | vsize 2812MB | residentFast 318MB | heapAllocated 130MB
[task 2020-04-29T10:36:29.009Z] 10:36:29 INFO - TEST-OK | dom/security/test/https-only/browser_upgrade_exceptions.js | took 246ms
Comment 14•4 years ago
|
||
The Test Verify failure popped up on Tier 1: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=299962530&repo=autoland&lineNumber=23749
Comment 15•4 years ago
|
||
Pushed by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8bd794936e27 Added upgrade exceptions for HTTPS Only Mode. r=ckerschb,necko-reviewers,valentin
Assignee | ||
Comment 16•4 years ago
|
||
If this test is an intermittent monster as well I'll just drop the test and create a follow-up bug
Comment 17•4 years ago
|
||
bugherder |
Description
•