Skip to content

Bug 19850: Disable Plaintext HTTP Clearnet Connections

As discussed on #19850 (closed), it is time for us to force Tor Browser traffic to go on HTTPS only.

As reported by Arthur on #19850 (comment 2772089), Firefox's HTTPS-Only mode can coexist with HTTPS-Everywhere, so we can enable it as soon as possible.

In this MR, I also redefined dom.security.https_only_mode.upgrade_onion to be false, even though it already is. I do not see why Mozilla should change this, but I discussed that on IRC, and we decided to do so, to be on the safe side.

I expressed other questions on #19850 (comment 2777613), especially about dom.security.https_only_mode_send_http_background_request.

It makes sense to me to keep it enabled (see the comment, and the attached paper).

We could disable it for Safer/Safest modes, but that would be a different MR on torbutton 🙂.

Merge request reports

Loading