HTTPS Everywhere in EASE mode blocks redirect to http://*.localhost

[lidel]

There is an Encrypt All Sites Eligible (EASE) opt-in mode in HTTPS Everywhere which protects users against downgrade from https:// to http:// even when HSTS header is not present.

Problem

This is a minor inconvenience for DNSLink redirects to *.localhost subdomains introduced in #853, as those get blocked if the feature is enabled:

Solution

• Before starting work, check if the issue is limited to Firefox
  • if so, this may go away when Firefox marks *.localhost as Secure Context (Bug 1220810), but that depends on how HTTPS Everywhere determines "unsafe" redirect (won't help if they just look at URL.protocol scheme, and not if URL.origin is Secure Context)
• Universal fix: PR HTTPS Everywhere to exclude redirects to *.localhost as browser vendors hardcode it to point at loopback IP and mark it as Secure Context

[Mikaela]

This appears to also affect Firefox's new HTTPS-only mode (dom.security.https_only_mode;true), I was hoping that Firefox 76 might also have fixed the aforementioned Consider hardcoding localhost names to the loopback address, but that doesn't seem to be the case.

[thibaultmol]

Any plans on fixing this? It's still causing issues. (or a workaround)

[Mikaela]

I think this may be fixed or at least Firefox's own HTTPS-only mode I mentioned in my last comment doesn't seem to cause issues with IPFS browsing anymore. Firefox's Bug 1220810 (let-localhost-be-localhost) has also been closed 4 months ago.

Links I tested include http://ipfs.io.ipns.localhost:8080/ ("IPFS powers the Distributed Web" and http://http.badssl.com/ ("HTTPS-only mode warning: Protected connection is not available" (translated from Finnish)).