HTTPSE Shield Setting → Scheme Independent

[jhreis]

HTTPSE shield needs to become scheme independent due to the following situation

Steps:

1. Make sure HTTPSE is enabled
2. Visit http://espn.com
3. See website was upgraded to HTTPS
4. Turn off HTTPSE for https://espn.com
5. Visit http://espn.com
6. Get upgraded to https://espn.com

It becomes impossible to turn off HTTPSE for an http scheme, since the shield setting is only being adjusted for the current websites (being https://espn.com).

Acceptable fallback option is to make all shields scheme independent.

[srirambv]

Seeing the cert error page when loading a HTTP site with HTTPS prefix

[srirambv]

I still see https scheme used by the site when loading but doesn't actually load the site via https. Here's the steps

1. Clean profile
2. Visit https://espn.com in a new tab, loads via http itself
3. Tap on url to enter edit mode, shows site using http://espn.com
4. Edit url to https://espn.com and tap on go, page reloads, https 🔒 flashes but shows http url
5. Tap on url to enter edit mode, shows https://espn.com instead of http://espn.com

[GeetaSarvadnya]

Seeing the same on iPhone 8 as well.

[srirambv]

On the last build this is what I see

1. Visit https://pdf995.com
2. Shows Cert error page to continue to the site
3. Go to advanced and continue to the site, URL shows https://pdf995.com (expected because of step 2)
4. Visit https://espn.in (because for me visiting .com it redirects to .in )
5. No cert error page is shown, just loads the page with http://espn.in ( I assume this should have been similar to pdf995)
6. Edit url to https://espn.in, I see the same happening whats mentioned in #688 (comment)

@kylehickinson @jhreis @tomlowenthal could you confirm which behaviour is correct?

[btlechowski]

espn.com behavior:

• https://espn.com always opens to http://www.espn.com. Tested on Chrome v71.0.3578.98. Firefox 65 and Brave 0.58.21.
• http://espn.com opens http://www.espn.com. Tested on Chrome v71.0.3578.98. Firefox 65 and Brave 0.58.21.
• http://www.espn.com never upgrades to https://www.espn.com . Tested on Brave 0.58.21, Brave Beta 0.59.26, Brave Dev 0.60.15, ios 1.7.2(19.1.18.15), which is intended because of the https everywhere ruleset https://www.eff.org/https-everywhere/atlas/letters/e.html. Also tested in FireFox 65 with HTTPS Everywhere extension.
• https://www.espn.com opens secure https://www.espn.com - which is expected

Considering the above the initial issue and subsequent issues are invalid.

Nevertheless, the fix for changing the shield setting being applied to http and https is desired and it works.

[GeetaSarvadnya]

Tested HTTPSE upgrade on latest build 1.7.2(19.1.18.15). Please find my observations below:

1. When HTTPSE is enabled
   • If i visit http://espn.com it never upgraded to HTTPS. It always opnes http://www.espn.in/
   • If i visit https://www.espn.com It opnes https://www.espn.in/
   • If i visit https://espn.com it opens http://www.espn.in/
2. When HTTPSE is turned off
   • If i visit to https://espn.com opens http://www.espn.in/
   • If i visit to https://www.espn.com opens https://www.espn.in/
   • If i visit to http://espn.com opens http://www.espn.in/

Results are as expected, verified on other platforms browsers.