Intent to ship: HTTPS-First / HTTPS Upgrades

[Malte Jürgens]

As of Firefox 136 (to release 2025-03-04), we intend to turn on the HTTPS-First Mode by default.

Summary:

HTTPS-First will upgrade all top-level loads to HTTPS, while falling back to HTTP if an HTTPS connection isn't possible. HTTPS-First has already been enabled in private browsing for multiple years [1] and for all Nightly users since June 2024 [2].

Bugs:

• General tracking bug: https://bugzil.la/https-first-mode 

• To enable HTTPS-First in release: https://bugzil.la/https-first-release 

Specification:

Work is in progress, but not yet merged, to specify the behavior of HTTPS-First under the name "HTTPS Upgrades" in the Fetch standard:

• https://github.com/whatwg/fetch/issues/1654 

• https://github.com/whatwg/fetch/pull/1655 

As both Blink and WebKit are already shipping features similar to the proposed specification, we find it acceptable to enable HTTPS-First before the HTTPS Upgrades proposal is merged.

Standards Body:

WHATWG

Platform coverage:

Desktop and Android

Preference:

dom.security.https_first

DevTools bug:

https://bugzil.la/1907518 

Link to standards-positions discussion:

https://github.com/mozilla/standards-positions/issues/800 (positive)

Other browsers:

• Blink: Shipped since version 115, which released 2023-07-18
  https://chromestatus.com/feature/6056181032812544 

• WebKit: Shipped since version 18.2, which released 2024-12-11
  https://developer.apple.com/documentation/safari-release-notes/safari-18_2-release-notes#Security 

web-platform-tests:

Tentative WPTs have been set up at https-upgrades/tentative/, but are currently still failing for all browsers. This is mainly due to HTTPS Upgrades only being specified to act on standard ports, and the WPT infrastructure making that difficult to test. See [3] for ongoing work on this. Besides WPTs, we do have good coverage of Firefox-specific tests for HTTPS-First that predate the HTTPS Upgrades proposal in [4].

Please let us know if you have any questions or concerns.

Malte Jürgens

Simon Friedberger

Frederik Braun

Christoph Kerschbaumer

[1] https://blog.mozilla.org/security/2021/08/10/firefox-91-introduces-https-by-default-in-private-browsing 

[2] https://groups.google.com/a/mozilla.org/g/dev-platform/c/yt6Kc8cAHag/m/90N-MtFrAAAJ 

[3] https://bugzil.la/1877935 

[4] https://searchfox.org/mozilla-central/source/dom/security/test/https-first