Mozilla added an optional HTTPS-only mode to Firefox 76 Nightly back in March 2020. The organization’s engineers have now added the mode to the settings of Firefox 80 Nightly, and it is likely that users of other Firefox channel versions, e.g. Firefox Stable, will be able to configure the mode once their version of the browser is updated to Firefox 80.
HTTPS-Only Mode is designed to enforce HTTPS on sites. It works similarly to HTTPS Everywhere and other HTTPS upgrade extensions for browsers in that it attempts to upgrade HTTP connections, that are not secure, to HTTPS connections, which are.
The core difference between the native HTTPS-Only Mode and extensions is that Mozilla’s implementation attempts to upgrade every HTTP connection to HTTPS.
HTTPS Everywhere uses a list for the upgrades that rewrite connections on sites that are opened in the browser.
Firefox’s HTTPS-Only Mode applies the upgrade to all HTTP connections, even if an HTTPS option is not available; this may lead to loading errors that can range from sites not loading at all to content on the site becoming unavailable.
Firefox informs the user if the entire site could not be loaded because it does not support HTTPS. The same is not true for elements that may not be loaded on a site, though.
Up until now, Nightly users had to set the value of the preference dom.security.https_only_mode to TRUE to enable the feature in the browser. A value of FALSE, the default, disables the HTTP to HTTPS upgrade enforcement in the browser.
Starting in Firefox 80, that is no longer necessary but still available. Mozilla added options to control the browser’s HTTPS-Only Mode in the options.
- Load about:preferences#privacy in the browser’s address bar and scroll all the way down to the HTTPS-Only Mode group.
- The feature is set to “Don’t enable HTTPS-Only Mode” by default.
- Switch it to Enable HTTPS-Only Mode in all windows to enable it everywhere, or
- Switch it to Enable HTTPS-Only Mode in private windows only, to only enable it for private browsing.
- A restart is not required.
When you enable the option, Firefox will rewrite HTTP links to HTTPS automatically.
When Mozilla launched the HTTP upgrade mode in Firefox 76, I concluded that it could be useful in some situations, e.g. when using profiles in Firefox and using one of the profiles for secure activities such as online banking.
The downside to enabling the mode is that it may break functionality on some sites, and some sites entirely. Since there is no simply “turn off mode on this page” option, it is quite cumbersome to deal with the issue when it is encountered.
I find it puzzling that the option is added to the browser’s preferences, considering that Mozilla’s stance in the past was to limit user exposure to settings that could potentially impact the accessibility of sites.
I think it would be better if Mozilla would integrate HTTPS Everywhere in the browser, maybe even with an option to enforce HTTPS everywhere. The extension is already included in the Tor Browser by default.
Now You: Would you use the HTTPS-Only Mode in your browser? (via Techdows)