On making HTTPS the default for new tests

[Lars Tomer Yavor]

Hi all,

TLDR; Please use HTTPS URLs instead of HTTP URLs in new tests implemented in JavaScript! You can do so by directly using HTTPS or writing scheme-relative URLs (//example.com/path) throughout your test code. From Wednesday, 7th of September, a new static analysis rule will be applied which warns you about HTTP URLs in new tests (Bug 1709150)! The new rule also provides an autofixing option which you can run with ./mach eslint –fix {yourTestFilesName}. In case your test code needs to use http, e.g. for full coverage, please disable the rule for the specific line.

As you probably know, the web is migrating towards HTTPS, and we think it’s time that our tests on mozilla-central should default to using HTTPS too. While using HTTP is occasionally necessary to test specific scenarios, in the majority of cases we should rather rely on HTTPS.

We, the Security Engineering Team, are working on various efforts to bring more HTTPS to the web. Initiatives like HTTPS-Only-Mode, or also HTTPS-First-Mode (aka HTTPS-By-Default) try to ensure that Firefox will favor secure and encrypted connections whenever possible.

While we (and the web) are not ready to fully roll out the above-mentioned features, we would like to benefit from the ability to enable such security-enhancing features in our testing environment. Currently, many tests fail when we enable HTTPS-First-Mode. Oftentimes the failing is caused by hard coded URLs, and we want to prevent the introduction of more such tests to our infrastructure.

To support our cause, we are going to land a new eslint rule that warns on hard coded “http” URLs for new tests. After the rule is applied we will gradually update the existing test files to use HTTPS (Bug 1709150). When doing so, we will review and ensure to sustain the current test coverage for HTTP if needed.

Let’s stay safe and secure the web together!

Best regards,

Tomer, Freddy and Christoph