Hello, TLDR: We are flipping the pref dom.security.https_first to true in Firefox Nightly.
For the last few years, we have been developing a feature called HTTPS-First. HTTPS-First will upgrade all insecure top-level page loads to use HTTPS, while falling back to HTTP if the site isn’t available via HTTPS. This feature has been enabled by default in private browsing since Firefox 91 <https://blog.mozilla.org/security/2021/08/10/firefox-91-introduces-https-by-default-in-private-browsing/> . There is now a proposal to standardize this behavior under the name HTTPS Upgrades <https://github.com/whatwg/fetch/pull/1655> driven by Google. Our HTTPS-First implementation largely aligns with it, but there are a few corner cases left unmentioned that we are still hoping to get alignment on. With this new proposal, and us having addressed most of the web compatibility concerns in the last years, we now feel confident enabling HTTPS-First by default in Nightly (tracking bug <https://bugzilla.mozilla.org/show_bug.cgi?id=1719271>). Additionally, we hope to ship HTTPS-First / HTTPS Upgrades in Release by the end of the year. By enabling HTTPS-First in Nightly now, we mainly want to ensure that newly added automated tests work correctly with HTTPS-First. There were a lot of tests that did not expect a HTTPS page to load when they started to load a HTTP URL, and thus failed with HTTPS-First enabled. We have fixed all those failures, by either moving the tests to just use HTTPS directly, or by manually disabling HTTPS-First for the tests. If you have any questions please let us know. Best Malte Jürgens Frederik Braun Simon Friedberger Christoph Kerschbaumer -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAFMeYV7W0ieWy0H4iffJY-w6tOPbPGbApkrGYm9dGRUgtmoZ%2BA%40mail.gmail.com.
