HTTPS by Default for Android

[arthuredelstein]

Once we have resolved #27141, we plan to add a UI for HTTPS by Default on Android.

[arthuredelstein]

See QA testing info here: brave/brave-core#17581 (comment)

[kjozwiak]

QA can also use brave/brave-variations#560 (comment) as a template. Those are the cases that I went through verifying the feature before enabling it via Griffin 👍 CCing @Uni-verse @stephendonner

[Uni-verse]

Verification Completed on Samsung GS 21 5G using the following versions(s):

Brave	1.51.79 Chromium: 112.0.5615.49 (Official Build) beta (64-bit) 
Revision	bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS	Android 13; Build/TP1A.220624.014

Case: Griffin Experiment

Variations server URL: https://variations.bravesoftware.com/seed

• Ensured that BraveHttpsByDefaultRolloutStudy:Enabled is shown in active variations
• Ensured that brave://flags#https-by-default is set to default

Brave://version	Shields Panel	HTTPS Upgrade in Shields	Global settings

Case: brave://flags

• Ensured when enabling brave://flags#https-by-default and relaunching browsing, the setting is updated in the Shields panel as well as the global settings under Privacy/Shields
• Ensured that https-by-default is not enabled when set to default under brave://flags

Enabled	Enabled	Disabled	Disabled

Case: New Profile (Negative Test Case)

• Ensured that https-by-default is not enabled on a new profile using the production variations seed url.

Enabled	Enabled

Case: Require all connections to use HTTPS (strict)

• Ensured that loading http://upgradeable.arthuredelstein.net will upgrade automatically to https
• Ensured that loading http://insecure.arthuredelstein.net or http://http.badssl.com will present interstitial page regarding insecure connection.

Example	Example	Example

Case: Upgrade to HTTPS whenever possible (default)

• Ensured that loading http://upgradeable.arthuredelstein.net will upgrade to https using default setting
• Ensured that loading http://insecure.arthuredelstein.net or http://http.badssl.comwill not show the interstitial page and show the page contents.
• Ensured that disabling shields will not upgrade to HTTPS automatically when set to default

Example	Example	Example	Example

Case: Don't upgrade connections to HTTPS (disabled)

• Ensured that loading http://upgradeable.arthuredelstein.net will not upgrade to https
• Ensured that loading http://insecure.arthuredelstein.net or http://http.badssl.comwill not show the interstitial page
  and show the page contents.

Example	Example	Example

Case: Globals

• Ensured setting global HTTPS setting will take affect on webpages
• Ensured that global preference will not override existing per site setting
• Ensured that changing global HTTPS by default setting multiple times works and displays correctly in settings

Disabled	Default	Strict

Case: Per-site settings

• Ensured that per site setting preference overrides global setting
• Ensured that changing the global setting will not override the existing per site setting
• Ensured that changing from default to strict for insecure pages will present the site not secure warning interstitial page on http

Case: Shields Toggle

• Ensured that toggling shields will disable HTTPS by default
• Ensured that disabling shields will not redirect to https when loading http://upgradable.arthuredelstein.net, and enabling will upgrade to HTTPS by default when set to strict/default

Example	Example	Example	Example

Case: Private Browsing

• Ensured that loading http://upgradeable.arthuredelstein.net will upgrade to https using default setting
• Ensured that loading http://insecure.arthuredelstein.net or http://http.badssl.comwill not show the interstitial page and show the page contents.

Example	Example	Example	Example	Example

Case: Upgraded Profile

• Ensured that HTTPS by default preference is kept after upgrading
• Ensured that warning interstitial page is shown when loading https://http.badssl.com with HTTPS by default strict setting
• Ensured that changing per site and global settings will upgrade to HTTPS accordingly

Testing upgrading from 1.50.99 -> 1.51.85 covered in #28295 (comment)

1.51.78	1.51.78	1.51.78	1.51.78
1.51.79	1.51.79	1.51.79	1.51.79

Changing preference post-upgrade (http.badssl.com)

Example	Example

[Uni-verse]

Verification Completed on Samsung Galaxy Tab S7 using the following versions(s):

Brave	1.51.79 Chromium: 112.0.5615.49 (Official Build) beta (64-bit) 
Revision	bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS	Android 13; Build/TP1A.220624.014

Case: Griffin Experiment

Variations server URL: https://variations.bravesoftware.com/seed

• Ensured that BraveHttpsByDefaultRolloutStudy:Enabled is shown in active variations
• Ensured that brave://flags#https-by-default is set to default

Brave://version	Shields Panel	HTTPS Upgrade in Shields	Global settings

Case: brave://flags

• Ensured when enabling brave://flags#https-by-default and relaunching browsing, the setting is updated in the Shields panel as well as the global settings under Privacy/Shields
• Ensured that https-by-default is not enabled when set to default under brave://flags

Enabled	Enabled	Disabled	Disabled

Case: New Profile (Negative Test Case)

• Ensured that https-by-default is not enabled on a new profile using the production variations seed url.

Example	Example

Case: Require all connections to use HTTPS (strict)

• Ensured that loading http://upgradeable.arthuredelstein.net will upgrade automatically to https
• Ensured that loading http://insecure.arthuredelstein.net or http://http.badssl.com will present interstitial page regarding insecure connection.

Example	Example	Example

Case: Upgrade to HTTPS whenever possible (Default)

• Ensured that loading http://upgradeable.arthuredelstein.net will upgrade to https using default setting
• Ensured that loading http://insecure.arthuredelstein.net or http://http.badssl.comwill not show the interstitial page and show the page contents.
• Ensured that disabling shields will not upgrade to HTTPS automatically when set to default

Example	Example	Example	Example

Case: Don't upgrade connections to HTTPS (disabled)

• Ensured that loading http://upgradeable.arthuredelstein.net will not upgrade to https
• Ensured that loading http://insecure.arthuredelstein.net or http://http.badssl.comwill not show the interstitial page
  and show the page contents.

Example	Example	Example

Case: Globals

• Ensured setting global HTTPS setting will take affect on webpages
• Ensured that global preference will not override existing per site setting
• Ensured that changing global HTTPS by default setting multiple times works and displays correctly in settings

Disabled	Default	Strict

Case: Per-site settings

• Ensured that per site setting preference overrides global setting
• Ensured that changing the global setting will not override the existing per site setting
• Ensured that changing from default to strict for insecure pages will present the site not secure warning interstitial page on http

Case: Shields Toggle

• Ensured that toggling shields will disable HTTPS by default
• Ensured that disabling shields will not redirect to https when loading http://upgradable.arthuredelstein.net, and enabling will upgrade to HTTPS by default when set to strict/default

Case: Private Browsing

• Ensured that loading http://upgradable.arthuredelstein.net will upgrade to https using default setting
• Ensured that loading http://insecure.arthuredelstein.net or http://http.badssl.comwill not show the interstitial page and show the page contents.

Example	Example	Example	Example	Example

Case: Upgraded Profile

• Ensured that HTTPS by default preference is kept after upgrading
• Ensured that warning interstitial page is shown when loading https://http.badssl.com with HTTPS by default strict setting
• Ensured that changing per site and global settings will upgrade to HTTPS accordingly

Defaults (Not changing HTTPS globals, 1.50.99 -> 1.51.79)

Old (Globals)	Old (per site)	Old (per site)
New (Globals)	New (per site)	New (per site)

Strict (Always use secure connection enabled, 1.50.99 -> 1.51.79)

Old (Globals)	Old (Per site)

New (Globals)	New (Per site)

Disabled (Disable HTTPS in global settings, 1.50.99 -> 1.51.79)

Old	Old

New	New

[Uni-verse]

Verification Completed on Pixel 5 running Android 8

Brave	1.51.85 Chromium: 112.0.5615.49 (Official Build) beta (32-bit) 
Revision	bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS	Android 8.0.0; Build/OSR1.180418.026

• Ensured that loading http://upgradeable.arthuredelstein.net will upgrade to https using default setting
• Ensured that loading http://insecure.arthuredelstein.net or http://http.badssl.com will not show the interstitial page and show the page contents using defaults
• Ensured that disabling shields will not upgrade to HTTPS automatically when set to default
• Ensured interstitial warning for insecure connection is shown when using strict HTTPS setting

Fresh Profile

Brave://version	Brave://flags	Example	Example	Example	Example	Example	Example

Upgraded Profile

• Ensured that default preference is kept when upgrading from 1.50.99 -> 1.51.85
• Ensured that strict HTTPS preference is kept when upgrading from 1.50.99 -> 1.51.85

Old	Old	New	New