=WORK IN PROGRESS= NOT ready for review! DO NOT PUBLISH! =Connection Upgrades= Firefox may upgrade a connection to a website from the insecure HTTP protocol to the secure HTTPS protocol for a variety of reasons. Secure connections are necessary to make sure the websites you see are authentic and the data you are sending is not being intercepted. Today, most websites support the HTTPS protocol so upgrading the connection should only cause problems in exceptional cases. In many cases connection upgrades happen despite a link including the <code>http://</code> scheme. The main reason for this is that even though most websites support HTTPS connections, there are still many old <code>http://</code> links around. =Different Upgrade Mechanisms= Upgrade mechanisms can be classified by which party is initiating them, the web browser or the web server. The can also be classified by which type of connection the affect. See the next section for more information. ==Server Initiated Upgrades== When a webserver indicates that it supports HTTPS the situation becomes very simple: both ends of the connection support HTTPS so it can be used instead of HTTP. A server has the following options to do so: * [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HTTP Strict Transport Security (HSTS)] is a standard which lets websites communicate to the browser that they support secure connections and the browser will remember this for future connections. It is supplemented by a built-in list of such sites, the [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Solutions_with_preload_list HSTS preload list]. * [https://developer.mozilla.org/en-US/docs/Glossary/HTTPS_RR HTTPS Resource Records (HTTPS RR)] are special DNS entries which tell a browser that a web server supports HTTPS. * While not technically a connection upgrade, many websites redirect HTTP connections to HTTPS using the redirection status codes like [https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301 301 Moved Permanently]. ==Browser Initiated Upgrades== If the browser cannot know that the web server supports HTTPS connections, it can still attempt an upgrade, since HTTPS is widely supported this is often successful. * [[HTTPS-First - Upgrades to Secure Connections]] is a feature which has been in Firefox since version 136. It ensures that all connections attempt to use HTTPS first, before falling back to HTTP in case of failure. This will always select the most secure option, without bothering users. * [[HTTPS-Only Mode in Firefox]] is a setting which users can enable to ensure that Firefox will never establish an insecure connection without prompting the user first. While most sites support HTTPS today, most users are annoyed when they encounter a site which does not support it and find this setting to strict. It is therefore not enabled by default. * There are several web extensions which perform some kind of connection upgrade. But these mostly serve specific use-cases for expert audiences. ==Other Requests== The discussion above deals with so-called top-level or navigation request. Those are requests that take the user to a different site, for example because of typing an address or clicking on a link. Web browsers also make many other requests, for example to download the images which will be displayed on a page. While [[HTTPS-Only Mode in Firefox]] affects all types of requests, mostly these get upgraded by other means: * A [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests upgrade-insecure-requests] [https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content Security Policy (CSP)] directive on a webpage will upgrade subresource requests. * The [https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content Mixed Content Algorithm] ensures that if the top-level request for a site was encrypted subresources will either also be loaded securely, or the connection is blocked.

WORK IN PROGRESS

NOT ready for review! DO NOT PUBLISH!

Connection Upgrades

Firefox may upgrade a connection to a website from the insecure HTTP protocol to the secure HTTPS protocol for a variety of reasons. Secure connections are necessary to make sure the websites you see are authentic and the data you are sending is not being intercepted. Today, most websites support the HTTPS protocol so upgrading the connection should only cause problems in exceptional cases.

In many cases connection upgrades happen despite a link including the http:// scheme. The main reason for this is that even though most websites support HTTPS connections, there are still many old http:// links around.

Different Upgrade Mechanisms

Upgrade mechanisms can be classified by which party is initiating them, the web browser or the web server. The can also be classified by which type of connection the affect. See the next section for more information.

Server Initiated Upgrades

When a webserver indicates that it supports HTTPS the situation becomes very simple: both ends of the connection support HTTPS so it can be used instead of HTTP. A server has the following options to do so:

• HTTP Strict Transport Security (HSTS) is a standard which lets websites communicate to the browser that they support secure connections and the browser will remember this for future connections. It is supplemented by a built-in list of such sites, the HSTS preload list.
• HTTPS Resource Records (HTTPS RR) are special DNS entries which tell a browser that a web server supports HTTPS.
• While not technically a connection upgrade, many websites redirect HTTP connections to HTTPS using the redirection status codes like 301 Moved Permanently.

Browser Initiated Upgrades

If the browser cannot know that the web server supports HTTPS connections, it can still attempt an upgrade, since HTTPS is widely supported this is often successful.

• HTTPS-First upgrades to secure connections is a feature which has been in Firefox since version 136. It ensures that all connections attempt to use HTTPS first, before falling back to HTTP in case of failure. This will always select the most secure option, without bothering users.
• HTTPS-Only Mode in Firefox is a setting which users can enable to ensure that Firefox will never establish an insecure connection without prompting the user first. While most sites support HTTPS today, most users are annoyed when they encounter a site which does not support it and find this setting to strict. It is therefore not enabled by default.
• There are several web extensions which perform some kind of connection upgrade. But these mostly serve specific use-cases for expert audiences.

Other Requests

The discussion above deals with so-called top-level or navigation request. Those are requests that take the user to a different site, for example because of typing an address or clicking on a link. Web browsers also make many other requests, for example to download the images which will be displayed on a page. While HTTPS-Only Mode in Firefox affects all types of requests, mostly these get upgraded by other means:

• A upgrade-insecure-requests Content Security Policy (CSP) directive on a webpage will upgrade subresource requests.
• The Mixed Content Algorithm ensures that if the top-level request for a site was encrypted subresources will either also be loaded securely, or the connection is blocked.