[POLICY REQUEST] Add support for regex to `HttpAllowList` or add `HttpRegexAllowList`

[jaredmontoya]

Please either add this new policy to firefox:

    "HttpAllowlist": ["http://example.org",
                       "http://example.edu"],
    "HttpRegexAllowlist": ["http://.*\.customtld",
                       "http://.*vpntunneled\.local"],

Or add regex support to the existing HttpAllowlist policy

Machines of our users have a virtual network interface that lets them access IP addresses on our VPN. Those machines also use our DNS server that responds to queries about universally accepted TopLevelDomains generally used on the internet AND also respond to queries about our custom TopLevelDomain that is only used for ip addresses of services in our VPN. Due to the fact that our VPN already provides traffic encryption we find it unnecessary to use HTTPS for those services and we would like to use a regex expression to allow HTTP connections for domains under our custom TopLevelDomain.

We can't just disable HttpsOnlyMode because our users still browse the regular unencrypted internet.

[mkaply]

If you specify your toplevel domain in the HttpAllowList, it should cover all subdomains.

So putting ["foo.com"] will cover a.foo.com, b.foo.com, etc.

Is that what you need?

[jaredmontoya]

No, putting [ "foo.com" "com" ] results in
Ignoring parameter "foo.com" - not a valid origin.
Ignoring parameter "com" - not a valid origin.
because firefox expects it to be [ "http://foo.com" ] (I also have no idea why it needs the http:// prefix for a domain name list)
And when it is [ "http://foo.com" ] it works for foo.com.
But it in fact does not work for abc.foo.com and it is still upgraded to https.

But what we want is for every domain under the .com TLD(TopLevelDomain) to be treated as if it is in the HttpAllowList.
The difference in our case is that the TLD we are using is not .com but for example .hhh or .pqbvcnuyf and it will only work with our DNS server and will only point to an ip adress on a secure network, so https is not needed for that.

[mkaply]

Sorry, I meant https://foo.com and http://foo.com

But that's interesting. Origins should apply to subdomains.

I think this is a case where you need to open a bugzilla bug.

That feature was architected to use origins specifically.

https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=DOM%3A%20Security