[Problem/Bug]: Regression: Canary 120.0.2183.0 can't navigate to some HTTP pages, auto-upgrades to HTTPS

[RendijsSmukulis]

What happened?

The latest (120.0.2183.0) Canary version gets stuck in a weird HTTP-to-HTTPS upgrade loop when navigating to some HTTP-only pages. The page keeps refreshing, basically being unusable. Fiddler shows network traffic indicating WebView2 is stuck in a weird loop re-requesting the page ad-infinitum. Turns out the redirect loop was caused by the page trying to get back to HTTP. However, the issue stands - we currently can't navigate to some HTTP pages, as WebView2 forces the HTTPS version.

Importance

Blocking. My app's basic functions are not working due to this issue.

Runtime Channel

Prerelease (Edge Canary/Dev/Beta)

Runtime Version

120.0.2183.0

SDK Version

No response

Framework

WPF

Operating System

Windows 10

OS Version

No response

Repro steps

URL: http://privacy-test-pages.site/privacy-protections/https-upgrades/

• Previous WebView2 versions: loaded the HTTP page just fine.
• 120.0.2183.0: Redirects to HTTPS, then gets stuck in what appears to be a redirect loop, infinitely re-requesting and refreshing the page.

Fiddler traffic of the 120.0.2183.0:

Notice how there's no HTTP request, WebView2 immediately requests HTTPS. Then gets stuck in a request loop.

Fiddler traffic for previous versions:

Notice how it requests the HTTP version, and does not touch the HTTPS endpoint. No infinite redirects, either.

Regression

Regression in newer Runtime

Last working version (if regression)

120.0.2173.0

AB#47272331

[RendijsSmukulis]

Additional info: Edge Canary (the browser itself, Version 120.0.2183.0 (Official build) canary (64-bit)) is not demonstrating this regression:

[fabiorocha]

@yildirimcagri-msft can you PTAL?

[RendijsSmukulis]

Update on the redirect issue: I've had time to dig into the page's source, and it appears the page is redirecting itself to HTTP when visited on HTTPS; so the redirect loop is caused by the page.

However, the unexpected HTTP-to-HTTPS upgrade means we currently have no means to have users visit HTTP pages if they intended to visit the HTTP version. This will also break any page that expects visitors on HTTP, and redirect to HTTP from HTTPS.

Neither Chrome nor Edge Canary upgrade that page to HTTPS when visited on HTTP.

[yildirimcagri-msft]

Hi @RendijsSmukulis , thanks for reporting this issue. Upon looking further, I can see that there was a change that enabled the https upgrade feature by default in Edge 120. I can also repro this in Edge Canary when I navigate to https://privacy-test-pages.site/privacy-protections/https-upgrades/ causing the loop, but not when directly navigated to the http URL. I think this is because the https upgrade is not done for Edge address bar navigations where http is explicitly typed (but is effective when the page script navigates it to http page, hence reproing the issue in Edge Canary when originally navigating to the https page as well). Does the issue disappear for you if you set --disable-features=HttpsUpgrades in AdditionalBrowserArguments? In the meantime, I'll engage the relevant Edge team about this and we'll figure out what the behavior should be for WebView2.

[RendijsSmukulis]

Hi @yildirimcagri-msft, that flag resolves our issue. Thank you!

[yildirimcagri-msft]

Hi again, for WebView2, we made a fix to match the behavior with the browser so the upgrade doesn't happen for API navigations and we will cherry pick it to 120. You can verify whether the fix works for you currently on Canary runtime. Let us know if you need more help, thanks!