As you probably know, the web is migrating towards HTTPS, and we think it’s time that our tests on mozilla-central should default to using HTTPS too. While using HTTP is occasionally necessary to test specific scenarios, in the majority of cases we should rather rely on HTTPS.
We, the Security Engineering Team, are working on various efforts to bring more HTTPS to the web. Initiatives like HTTPS-Only-Mode, or also HTTPS-First-Mode (aka HTTPS-By-Default) try to ensure that Firefox will favor secure and encrypted connections whenever possible.
While we (and the web) are not ready to fully roll out the above-mentioned features, we would like to benefit from the ability to enable such security-enhancing features in our testing environment. Currently, many tests fail when we enable HTTPS-First-Mode. Oftentimes the failing is caused by hard coded URLs, and we want to prevent the introduction of more such tests to our infrastructure.
To support our cause, we are going to land a new eslint rule that warns on hard coded “http” URLs for new tests. After the rule is applied we will gradually update the existing test files to use HTTPS (Bug 1709150). When doing so, we will review and ensure to sustain the current test coverage for HTTP if needed.
Let’s stay safe and secure the web together!
Tomer, Freddy and Christoph