HTTPS-Only: Add error page suggestions on how to proceed
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox88 | --- | fixed |
People
(Reporter: julianwels, Assigned: leli, NeedInfo)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(6 files, 1 obsolete file)
There are a couple of common mistakes websites make that cause an error-page in HTTPS-Only Mode. The most common one is that a domain is only meant to redirect the user to a different website and therefore has no certificate (see for example bug 1650779).
Although we can check for these mistakes, redirecting the user anyway would pose a security risk. What we could do instead is show some kind of UI on the error page, to inform the user of the attempted redirect and about possible risks.
Reporter | ||
Updated•3 years ago
|
Comment 4•3 years ago
|
||
Thank you for the screenshot and your work on this bug! I have some comments:
I believe the blue color is supposed to indicate the recommended or default action. So the "Continue to Secure WWW Site" button should be grey, not blue. Also, I think the button text "Continue to Secure WWW Site" probably needs revision. I would recommend something like "Try https://www.speedofanimals.com".
Lastly, I would still prefer that we make trying "https://www..." automatic rather than adding a button, because a third button adds unnecessary cognitive load for the user.
Comment 6•3 years ago
|
||
my thoughts
Possible Alternatives
should be singularThere is a secure version...
- you don't know that. Perhaps useThere may be a secure version...
thx yes you are right it should be singular.
What do you mean by not knowing? this part only shows up if the www. page can be reached via https ... is secure the wrong term?
Comment 8•3 years ago
|
||
this part only shows up if the www. page can be reached via https
Oh. My mistake then. I thought that hadn't been determined yet. In which case the part about trying
seems misleading
In order to know that the insecure http: request is trying to redirect the user to an https: URL on a different domain, wouldn't the browser need to first make the insecure request (to inspect the response headers)? Which in doing so would violate HTTPS-Only Mode.
Assignee | ||
Comment 10•3 years ago
|
||
I don't use the response header, so it does not violate HTTPS-only mode.
we start with a http request to <page> and HTTPS-Only tries to upgrade. If that doesn't work we end on the error page.
If <page> does not start with www. I try to reach https://www.<page> and if a secure connection is possible, the suggestion-text with a button to the secure www.<page> appears.
Assignee | ||
Comment 11•3 years ago
|
||
Depends on D101468
Assignee | ||
Comment 12•3 years ago
|
||
Depends on D103700
Updated•3 years ago
|
Updated•3 years ago
|
Assignee | ||
Comment 13•3 years ago
|
||
Updated•3 years ago
|
Comment 14•3 years ago
|
||
Feedback from Mikal was to keep this message short, so we should keep that in mind in the next revision. Will also want to limit the number of actions to reduce cognitive load.
Next week is Proton hand-off so ideally, I would look at this the week of March 8. Is that too late? Please let me know if I am a blocker.
Comment 15•3 years ago
|
||
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/21d33ceefa30 Add www button on https-only error page r=ckerschb,JulianWels,Gijs https://hg.mozilla.org/integration/autoland/rev/b09ac7fc26b1 Add www button on https-only error page - test r=ckerschb https://hg.mozilla.org/integration/autoland/rev/44bb81629125 Add www button on https-only error page - test click on www suggestion button r=ckerschb
Comment 16•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/21d33ceefa30
https://hg.mozilla.org/mozilla-central/rev/b09ac7fc26b1
https://hg.mozilla.org/mozilla-central/rev/44bb81629125
Description
•