1. 47

Introduced in Firefox 83, which is launching later today.

  1. 13

    I didn’t write the blog post and I didn’t write the code, but I’m in that same team. Happy to answer (or redirect) any questions you might have :)

    1. 3

      When will this be enabled by default, and when will http: requests be complete denied? I’m asking not because I want to see that, but because I’m afraid of that happening and shutting me out of certain websites entirely.

      1. 9

        I can’t see that happen at all. Too many requests are still HTTP. You are not alone :)

        1. 8

          For the small number of websites that don’t yet support HTTPS, Firefox will display an error message that explains the security risk and asks you whether or not you want to connect to the website using HTTP.

          We can bypass improper HTTPS (expired, self-signed, wrong domain name) errors. Why do you think we would not be able to bypass this new error?

          1. 4

            Based on Mozilla’s history, in a future version, this setting will be enabled by default and only accessible through about:config, like JavaScript.

            1. 3

              Unfortunately the programmers behind web browsers are known for pulling stuff like this. The last time I tried to use websockets and my webcam over an insecure connection for testing purposes I quickly realized that they really hate their users as disabling some of the security options is just not possible.

            2. 3

              To confirm, this replaces the need to use HTTPS Everywhere?

              1. 3

                It works a bit different. HTTPS Everywhere in default mode is a bit less progressive and just updates for a list of pre defined websites. It’s similar to a stricter mode of HTTPS Everywhere though.

              2. 1

                Thank you for adding this mode. I’m not sure whether we can turn it on at work but it’s great to have it available.

              3. 6

                So planning to break even more websites?

                I’m already struggling to find energy to keep using Firefox when it generally performs much worse than Chrome, adding more friction won’t make anything better in my opinion.

                Let’s see, I believe in a world where FF leads the way once again, one can only hope.

                1. 11

                  This is opt-in. Did you read the full article?

                  1. 11

                    The future of the web is HTTPS-Only

                    Once HTTPS becomes even more widely supported by websites than it is today, we expect it will be possible for web browsers to deprecate HTTP connections and require HTTPS for all websites. In summary, HTTPS-Only Mode is the future of web browsing!

                  2. 5

                    This isn’t on by default.

                    1. 3

                      I missed that. Thanks!

                    2. 3

                      Since the launch of Let’s Encrypt, every browser (not only Firefox) has incrementally pushed HTTPS-related features to incentive its generalization.

                      Sure, FF83 is making a radical (but optional) move here, but I have the feeling that it’s only the continuation of that trend every browser support. That is, I wouldn’t be surprised if Chrome follows and releases a similar feature in near future.

                    3. 3

                      Hm, maybe I should just use this instead of often manually typing https:// “in case that domain does not have HSTS” :D

                      1. 1

                        This isn’t working for me with local host names only FQDM. With a local host name, clicking the “HTTP” button to continue to the http version does nothing.

                        Also, I think it would be very beneficial with a whitelist, like HTTPS everywhere has.