Form submission warning does not address redirects

[annevk]

As far as I can tell the current text would not prevent or require a dialog for a POST to https://same-origin.example/endpoint to 307/308 redirect to http://elsewhere.example/actual-endpoint.

[mikewest]

I don't think the current text would prevent a form submission to the HTTP endpoint to begin with. AFAIR, any warning or enforcement is wrapped up in "The user agent MAY do whatever it feels like here instead of just returning allowed." around 1.4 of https://w3c.github.io/webappsec-mixed-content/#should-block-fetch.

But it's been a long time since I looked at this. Are we more explicit about the algorithm somewhere?

[annevk]

The problem is with the text at https://w3c.github.io/webappsec-mixed-content/#requirements-forms (that MIX2 doesn't seem to meaningfully alter, but that's #28). It allows for warning or even blocking, but ignores the redirect problem entirely.

[mikewest]

Got it, thanks!

Yes, that text only handles explicitly mixed content (e.g. <form action="http://not-secure.site/">), and you're quite right that it doesn't handle redirects. AFAIR, Chromium doesn't do anything in particular to warn about the post-redirect page to which a top-level navigation occurred. I don't recall Firefox doing anything either.

@carlosjoan91 and @estark37 are the right people to chat with about the UX considerations from Chromium's side.

[annevk]

That would allow a page to hide the user-facing warning quite easily while not solving the problem. (And potentially create other problems depending on how they go about creating this redirect.)

[carlosjoan91]

In Chromium the current UI doesn't degrade on redirects, but I think that's more due to implementation issues (i.e. having to actually trigger a navigation to the target URL before form submission to detect redirects) rather than by design. We are planning to add a mixed form on-submission warning to Chromium, and that one will actually show for redirects.

I can add a step explaining the UA may show a warning if a redirect to an HTTP URL is found while submitting a form from an HTTPS URL if other implementers are interested in something similar. Do you think it would make sense to add that wording to MIX too or just to MIX2?

[annevk]

As MIX2 replaces MIX I don't see a real need to maintain the former personally. I'm not sure if Firefox is interested in implementing such a warning, but it does seem to me that any implementation that does not warn upon such a redirect is incomplete and has UI that can be easily circumvented.