Skip to content

Commit

Permalink
HTTPS-Only mode, closes #1047
Browse files Browse the repository at this point in the history
  • Loading branch information
Thorin-Oakenpants authored Nov 22, 2020
1 parent a7e4268 commit 91cbc1e
Showing 1 changed file with 13 additions and 4 deletions.
17 changes: 13 additions & 4 deletions user.js
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
- re-enable section 4600 if you don't use RFP
ESR78
- If you are not using arkenfox v78... (not a definitive list)
- 1244: HTTPS-Only mode is enabled
- 1401: document fonts is inactive as it is now covered by RFP in FF80+
- 4600: some prefs may apply even if you use RFP (currently none apply as of FF84)
- 9999: switch the appropriate deprecated section(s) back on
Expand Down Expand Up @@ -728,14 +729,22 @@ user_pref("security.mixed_content.block_display_content", true);
user_pref("security.mixed_content.block_object_subrequest", true);
/* 1244: enable HTTPS-Only mode [FF76+]
* When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored
* [WARNING] This is experimental [1] and you can't set exceptions if FPI is enabled [2] (fixed in FF83)
* [SETTING] to add site exceptions: Page Info>Permissions>Use insecure HTTP (FF80+)
* [SETTING] to add site exceptions: Page Info>HTTPS-Only mode>On/Off/Off temporarily
* [SETTING] Privacy & Security>HTTPS-Only Mode
* [TEST] http://example.com [upgrade]
* [TEST] http://neverssl.org/ [no upgrade]
* [1] https://bugzilla.mozilla.org/1613063 [META]
* [2] https://bugzilla.mozilla.org/1647829 ***/
// user_pref("dom.security.https_only_mode", true); // [FF76+]
user_pref("dom.security.https_only_mode", true); // [FF76+]
// user_pref("dom.security.https_only_mode_pbm", true); // [FF80+]
// user_pref("dom.security.https_only_mode.upgrade_local", true); // [FF77+]
/* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/
// user_pref("dom.security.https_only_mode.upgrade_local", true);
/* 1246: disable HTTP background requests [FF82+]
* When attempting to upgrade, if the server doesn't respond within 3 seconds, firefox
* sends HTTP requests requests in order to check if the server supports HTTPS or not.
* This is done to avoid waiting for a timeout which takes 90 seconds
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/
user_pref("dom.security.https_only_mode_send_http_background_request", false);

/** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro]
* These are all the ciphers still using SHA-1 and CBC which are weaker than the available alternatives. (see "Cipher Suites" in [1])
Expand Down

4 comments on commit 91cbc1e

@crssi
Copy link

@crssi crssi commented on 91cbc1e Nov 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: When dom.security.https_only_mode = true then security.mixed_content.block_display_content doesn't matter.

@Thorin-Oakenpants
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't bother checking which process gets to the resources first - mixed_content (active/passive) or upgrading (HOM). Considering active is default true, I would assume Moz devs prioritize HOM over mixed_content. Both mixed_content are probably redundant with HOM, but who knows if they catch edge cases? IDK

We'll still keep the mixed_content prefs not commented out, for those who don't use HOM, e.g. ESR users who don't use v78

@crssi
Copy link

@crssi crssi commented on 91cbc1e Nov 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. Just wanted to point it out, if you find it helpful somehow. 😉 ❤️

@rusty-snake
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sends HTTP requests requests in order to check if the server supports HTTPS or not.

Please sign in to comment.