Bug 1877935 - Enable HTTPS-First for non-default ports r=maltejur,necko-reviewers,devtools-reviewers

Differential Revision: https://phabricator.services.mozilla.com/D225241

browser/base/content/test/captivePortal/browser.toml

@@ -13,6 +13,7 @@ skip-if = ["os == 'win'"] # Bug 1313894
 
 ["browser_captivePortal_https_only.js"]
 
-["browser_closeCapPortalTabCanonicalURL.js"]
-
 ["browser_captivePortal_trr_mode3.js"]
+https_first_disabled = true
+
+["browser_closeCapPortalTabCanonicalURL.js"]

devtools/client/storage/test/browser.toml

@@ -69,6 +69,7 @@ skip-if = ["win11_2009"] # Bug 1797751
 ["browser_storage_cookies_domain.js"]
 
 ["browser_storage_cookies_domain_port.js"]
+https_first_disabled = true
 
 ["browser_storage_cookies_edit.js"]
 

dom/html/test/mochitest.toml

@@ -785,6 +785,7 @@ skip-if = [
 ["test_bug1287321.html"]
 
 ["test_bug1292522_same_domain_with_different_port_number.html"]
+https_first_disabled = true
 skip-if = [
   "http3",
   "http2",

dom/security/nsHTTPSOnlyUtils.cpp

@@ -124,11 +124,13 @@ void nsHTTPSOnlyUtils::PotentiallyFireHttpRequestToShortenTimout(
     return;
   }
 
+  // Upgrades for custom ports may be disabled in that case
   // HTTPS-First only applies to standard ports but HTTPS-Only brute forces
   // all http connections to be https and overrules HTTPS-First. In case
   // HTTPS-First is enabled, but HTTPS-Only is not enabled, we might return
   // early if attempting to send a background request to a non standard port.
-  if ((IsHttpsFirstModeEnabled(isPrivateWin) ||
+  if (!mozilla::StaticPrefs::dom_security_https_first_for_custom_ports() &&
+      (IsHttpsFirstModeEnabled(isPrivateWin) ||
        (loadInfo->GetWasSchemelessInput() &&
         mozilla::StaticPrefs::dom_security_https_first_schemeless()))) {
     int32_t port = 0;
@@ -381,17 +383,19 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(nsIURI* aURI,
     return false;
   }
 
-  // 5. HTTPS-First Mode only upgrades default ports - do not upgrade the
-  // request to https if port is specified and not the default port of 80.
+  // 5. Make sure HTTPS-First does not upgrade custom ports when it is disabled
   MOZ_ASSERT(aURI->SchemeIs("http"), "how come the request is not 'http'?");
-  int defaultPortforScheme = NS_GetDefaultPort("http");
-  // If no port is specified, then the API returns -1 to indicate the default
-  // port.
-  int32_t port = 0;
-  nsresult rv = aURI->GetPort(&port);
-  NS_ENSURE_SUCCESS(rv, false);
-  if (port != defaultPortforScheme && port != -1) {
-    return false;
+
+  if (!mozilla::StaticPrefs::dom_security_https_first_for_custom_ports()) {
+    int defaultPortforScheme = NS_GetDefaultPort("http");
+    // If no port is specified, then the API returns -1 to indicate the default
+    // port.
+    int32_t port = 0;
+    nsresult rv = aURI->GetPort(&port);
+    NS_ENSURE_SUCCESS(rv, false);
+    if (port != defaultPortforScheme && port != -1) {
+      return false;
+    }
   }
 
   // 6. Do not upgrade requests other than GET

dom/security/test/unit/test_https_only_https_first_default_port.js

@@ -26,7 +26,7 @@ const TESTS = [
   {
     description: "Test 3 - Explicit Custom Port (scheme: http, port: 8888)",
     url: "http://test1.example.com:8888",
-    expectedScheme: "http",
+    expectedScheme: "https",
     expectedPort: 8888,
   },
   {

modules/libpref/init/StaticPrefList.yaml

@@ -3960,6 +3960,12 @@
   value: @IS_NIGHTLY_BUILD@
   mirror: always
 
+# If true, HTTPS-First will upgrade non-default ports
+- name: dom.security.https_first_for_custom_ports
+  type: RelaxedAtomicBool
+  value: true
+  mirror: always
+
 # If true, top-level requests in Private Browsing Mode will get
 # upgraded to HTTPS. (If dom.security.https_first
 # is set to true then this pref has no effect)

netwerk/test/unit/test_httpssvc_https_upgrade.js

@@ -25,6 +25,11 @@ let h2Port;
 add_setup(async function setup() {
   trr_test_setup();
 
+  Services.prefs.setBoolPref(
+    "dom.security.https_first_for_custom_ports",
+    false
+  );
+
   h2Port = Services.env.get("MOZHTTP2_PORT");
   Assert.notEqual(h2Port, null);
   Assert.notEqual(h2Port, "");
@@ -51,6 +56,7 @@ add_setup(async function setup() {
     );
     Services.prefs.clearUserPref("network.dns.notifyResolution");
     Services.prefs.clearUserPref("network.dns.disablePrefetch");
+    Services.prefs.clearUserPref("dom.security.https_first_for_custom_ports");
   });
 
   if (mozinfo.socketprocess_networking) {

netwerk/test/unit/xpcshell.toml

@@ -815,6 +815,7 @@ skip-if = [
 run-sequentially = "node server exceptions dont replay well"
 
 ["test_httpssvc_https_upgrade.js"]
+https_first_disabled = true
 
 ["test_httpssvc_iphint.js"]
 run-sequentially = "node server exceptions dont replay well"

testing/mochitest/tests/SimpleTest/TestRunner.js

@@ -602,6 +602,11 @@ async function _runNextTest() {
         { type: "allowXULXBL", allow: true, context: "http://example.org" },
       ]);
     }
+    if (TestRunner._urls[TestRunner._currentTest].test.https_first_disabled) {
+      await SpecialPowers.pushPrefEnv({
+        set: [["dom.security.https_first", false]],
+      });
+    }
     TestRunner._makeIframe(url, 0);
   } else {
     $("current-test").innerHTML = "<b>Finished</b>";

toolkit/components/url-classifier/tests/unit/test_shouldclassify.js

@@ -125,6 +125,7 @@ function setupChannel(params) {
 }
 
 add_task(async function testShouldClassify() {
+  Services.prefs.setBoolPref("dom.security.https_first", false);
   Services.prefs.setBoolPref(
     "privacy.trackingprotection.annotate_channels",
     true