search

Rob--W / https-by-default

Use HTTPS by default for navigations from the location bar in Chrome / Firefox.
MIT License
63 stars 12 forks source link

<noscript><meta http-equiv=Refresh> should not force https with NoScript #21

Open Lekensteyn opened 6 years ago

Lekensteyn commented 6 years ago

test.html:

<noscript>
<meta http-equiv="Refresh" content="0;URL=http://example.com/">

Open http://localhost:8000/test.html (or wherever you host it) with scripts blocked by NoScript (either untrusted or default policy with active content blocked).

Expected result: http://example.com/ (scheme http) should be opened

Actual result: https://example.com/ (scheme https) is opened.

Versions: Firefox 59.0.1 HTTPS by default 0.4.5 NoScript 10.1.7.5

Additional information: it seems that the redirect is indistinguishable from a URL as entered in the location bar. Contents of details from onBeforeRequest:

{
  "requestId": "61",
  "url": "http://example.com/",
  "method": "GET",
  "type": "main_frame",
  "timeStamp": 1522833130652,
  "frameId": 0,
  "parentFrameId": -1,
  "proxyInfo": null,
  "ip": null,
  "frameAncestors": [],
  "tabId": 7
}

When visiting a URL (example.com) from the location bar, the details changes to:

@@ -1,13 +1,13 @@
 {
-  "requestId": "61",
-  "url": "http://example.com/",
+  "requestId": "72",
+  "url": "http://example.net/",
   "method": "GET",
   "type": "main_frame",
-  "timeStamp": 1522833130652,
+  "timeStamp": 1522833147688,
   "frameId": 0,
   "parentFrameId": -1,
   "proxyInfo": null,
   "ip": null,
   "frameAncestors": [],
-  "tabId": 7
+  "tabId": 8
 }