search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17k stars 2.21k forks source link

Clarify HTTPS by Default feature text to indicate that it only applies to mainframe navigations #38428

Open ShivanKaul opened 1 month ago

ShivanKaul commented 1 month ago

Description

Our HTTPS by Default feature describes the default setting for HTTPS upgrades as "Upgrade connections to HTTPS". However, this is technically inaccurate since the feature only applies for mainframe navigations (in the top-level context.) It doesn't apply for subresource requests, so not all connections are actually upgraded to HTTPS.

Note: For subresources, we try to upgrade passive mixed content (e.g. images, other media) on a secure page and block the resource if the upgrade fails, and we outright block insecure active mixed content (e.g. scripts) on a secure page. This behaviour is not affected by the HTTPS by Default toggle.

Steps to reproduce

Open Shields panel or go to brave://settings/shields and check out the HTTPS upgrades feature toggle

Actual result

See the text mentioned above

Expected result

Some text that is more accurate

Reproduces how often

Easily reproduced

Desktop Brave version (brave://version info)

All

Android device

All

Channel information

Reproducibility

Miscellaneous information

No response

ShivanKaul commented 1 month ago

We could also just put a Learn More link in brave://settings/shields.