HTTPS-Only Mode

[Amejia481]

User Story

• As a user, I want be able to opt in to use the HTTPS-Only Mode

Dependencies

• GeckoView bug.

Acceptance Criteria

• When I navigate to any site, the HTTPS version should be always served

---

The https-only error page may appear if there is another error encountered even if the target redirected to a https page - https://bugzilla.mozilla.org/show_bug.cgi?id=1759114

┆Issue is synchronized with this Jira Task

[Amejia481]

This functionality was already introduced in desktop 83 and we want to start gathering all the dependencies needed for the feature.

cc: @vesta0

[saschanaz]

Duplicate of #14682 and of #12347

[Amejia481]

@saschanaz I think we could close the other ones are they are feature requests, this is an user story issue and it will be used for creating all the UI/UX and engineering tasks :)

[kbrosnan]

This needs error page work as well. We need to figure out a way to provide the escape hatch button to http. Need to sort out how the error page will work with PWAs. Need to think about how the escape hatch persistence will work with things like private browsing.

[ghost]

really needed feature

[julian-alarcon]

As bug in Gecko view was already closed, it should be a priority.

[cschanaj]

EFF has announced that HTTPS Everywhere is expected to reach its EOL by the end of 2021. HTTPS-Only Mode on Fenix could be a preferred alternatives to HTTPS Everywhere EASE mode to enforce HTTPS secure connections only and block HTTP connections on insecure mobile networks. I sincerely hope this feature can be prioritized.

Related: EFForg/https-everywhere#20048 cc @zoracon

[Amejia481]

@brampitoyo just to let you know that this is something that we want to add UI on Fenix and Focus, could you help us with the designs ? cc @amedyne

[brampitoyo]

@Amejia481 @amedyne I would say that Focus should go HTTPS-Only by default, without showing any UI. This way, our users will get automatic browsing security without any hassle.

But I wonder whether there’s any side effect to this decision? I’d love to hear your feedback.

I will bring this up in the next UI Catchup meeting with @channingcarter, as well.

[cadeyrn]

@brampitoyo

But I wonder whether there’s any side effect to this decision?

It's already on by default in Focus (or Fenix in private mode as well as in the desktop Firefox in private mode) and not having an UI already causes issues in Focus: mozilla-mobile/focus-android#5199

[Amejia481]

@brampitoyo as @cadeyrn mentioned Focus and Fenix are already using HTTPS-Only mode (in private browsing) by default without UI and the only side effect that we are experiencing is mozilla-mobile/focus-android#5199 as @cadeyrn mentioned, without the UI users don't have a way indicate that they want to proceed to navigate to HTTP sites in edge cases like mozilla-mobile/focus-android#5199.

[amedyne]

@brampitoyo desktop has provided options for users to change the default values. You can refer to them here. We can discuss further what we can do for Focus (and Fenix).

[brampitoyo]

@amedyne For Fenix, I think we can safely implement the same UI as desktop: with identical explanation, radio buttons, and exceptions list. (Let’s consult @betsymi at Content Design first, though!)

Do you know what desktop’s default value is? On Fenix, I feel pretty safe toggling Enable in private windows only to ON, but it’s best to follow desktop’s default value and not risk broken sites.

---

As for Focus, it’s clear that this feature should be toggled Enable, and it should only have two radio buttons: Enable and Don’t enable. Focus is always private, and there’s no need for a third radio button.

What will need more thinking is whether Focus should also ship with an exceptions list. I lean towards a “no”, so Focus stays slim and doesn’t maintain yet another list. If a site doesn’t work properly on a secondary browser like Focus, opening it on a primary browser like Firefox is an option.

[saschanaz]

It's disabled by default on desktop: https://searchfox.org/mozilla-central/rev/fdd13237fcff2692404313b731a4ee0cba9e8ecb/modules/libpref/init/StaticPrefList.yaml#3075-3080

[yoasif]

This is parity-chrome as of Chrome 94. HTTPS Everywhere is also being retired: https://www.eff.org/deeplinks/2021/09/https-actually-everywhere

[Amejia481]

Just for reference we need the same engineering tasks as the focus counterpart mozilla-mobile/focus-android#5365 (comment)

[sheikh-azharuddin]

Just a suggestion..instead of adding this on the main setting menu which will increase the list..why not add a sub menu under privacy and security called "network security", inside this you can add https only mode and DNS server like cloudflare/nextdns/custom like desktop variant ..., majority of chromium browser has this setting..maybe it can be added in future but yes submenu will create a placeholder

[SoftVision-LorandJanos]

Verified as fixed on the latest Nightly 100.0a1 (2022-03-30) build.
Devices used:

• Google Pixel 4 (Android 11).
• Oppo Reno 6 (Android 12).
  Closing the ticket as fixed.