As of Firefox 136 (to release 2025-03-04), we intend to turn on the HTTPS-First Mode by default.
Summary: HTTPS-First will upgrade all top-level loads to HTTPS, while falling back to HTTP if an HTTPS connection isn't possible. HTTPS-First has already been enabled in private browsing for multiple years [1] and for all Nightly users since June 2024 [2]. Bugs: - General tracking bug: https://bugzil.la/https-first-mode - To enable HTTPS-First in release: https://bugzil.la/https-first-release Specification: Work is in progress, but not yet merged, to specify the behavior of HTTPS-First under the name "HTTPS Upgrades" in the Fetch standard: - https://github.com/whatwg/fetch/issues/1654 - https://github.com/whatwg/fetch/pull/1655 As both Blink and WebKit are already shipping features similar to the proposed specification, we find it acceptable to enable HTTPS-First before the HTTPS Upgrades proposal is merged. Standards Body: WHATWG Platform coverage: Desktop and Android Preference: dom.security.https_first DevTools bug: https://bugzil.la/1907518 Link to standards-positions discussion: https://github.com/mozilla/standards-positions/issues/800 (positive) Other browsers: - Blink: Shipped since version 115, which released 2023-07-18 https://chromestatus.com/feature/6056181032812544 - WebKit: Shipped since version 18.2, which released 2024-12-11 https://developer.apple.com/documentation/safari-release-notes/safari-18_2-release-notes#Security web-platform-tests: Tentative WPTs have been set up at https-upgrades/tentative/, but are currently still failing for all browsers. This is mainly due to HTTPS Upgrades only being specified to act on standard ports, and the WPT infrastructure making that difficult to test. See [3] for ongoing work on this. Besides WPTs, we do have good coverage of Firefox-specific tests for HTTPS-First that predate the HTTPS Upgrades proposal in [4]. Please let us know if you have any questions or concerns. Malte Jürgens Simon Friedberger Frederik Braun Christoph Kerschbaumer [1] https://blog.mozilla.org/security/2021/08/10/firefox-91-introduces-https-by-default-in-private-browsing [2] https://groups.google.com/a/mozilla.org/g/dev-platform/c/yt6Kc8cAHag/m/90N-MtFrAAAJ [3] https://bugzil.la/1877935 [4] https://searchfox.org/mozilla-central/source/dom/security/test/https-first -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAFMeYV7ERnciKcja6_cjvSsEYXN2F4Sk9j32Xjnybep-%3DyW6Pg%40mail.gmail.com.
