https by default in browsers (track efforts, status re. ultimate goal)

[elvey]

From the main page:

The ultimate goal is to get browser vendors to enable https by default.

This extension has been working perfectly for me, and I very often enter domains into my browser (Firefox).

So I thought it would be useful to have a tracking bug to organize constructive efforts to achieve the ultimate goal. (Please, if you're commenting, keep far away as possible from whiny stuff -anything that's not clearly constructive, including comments on my parentheticals.) On topic would be, first of all, status with each major browser, status re. proving it's time for https by default. Links to relevant issues in their bug tracking systems & mailing list discussions too. (But not prematurely - let's not facilitate whining- ditto in those systems.) Hoping to see a comment from the team with some info soon.

[edit: Firefox(Mozilla): progressing well. There is active work being done (code changes ; bugs this depends on being opened and closed) on by a 'Julian' on bug 1613063 and connected to a bug opened by Rob--W.]

[Rob--W]

Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1628831

Chrome: https://blog.chromium.org/2021/03/a-safer-default-for-navigation-https.html

Other browser: I don't know.

EDIT: Added link to Chrome's announcement about turning on https by default in Chrome 90.

[cben]

Some old links from Security SE question:

• https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ generic vague plan...
• https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/ Firefox showing red-crossed lock icon for http, especially on login fields
• https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure similar for Chrome, showing "not secure". not sure how exactly they stuck to the plan.
• https://security.googleblog.com/2020/02/protecting-users-from-insecure_6.html Chrome newer status/timeline, towards eventually blocking all mixed content.

[Lekensteyn]

Firefox 83 now has an option to force HTTPS-only mode: https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/

It takes it even further than this extension as it includes subresources as well.

[Rob--W]

Allegedly the feature was released in Chrome 90, but it's off by default in the build: https://bugs.chromium.org/p/chromium/issues/detail?id=1200048#c10

To enable it, visit chrome://flags and set #omnibox-default-typed-navigations-to-https to Enabled. Note that the scheme is hidden by default. The Chromium patch in this repo shows the scheme, but an alternative to that is to load the extension at https://gist.github.com/Rob--W/cd9839f5157019912e68e8e4e3e15eb0 or set the referenced flags at chrome://flags.