So in Standard security mode I occasionally see pages of the following kind when I type a domain/path into the URL bar and don’t explicitly specify the scheme (i.e. https://). My understanding is that this is triggered by a timeout waiting for an HTTPS connection - at which point the user is presented with the choice to visit the HTTP page.
I have read here that this mechanism at least used to send a background HTTP request - is that still the case? I’m guessing it is, as there seems to be a test specifically to check that no sensitive info is sent in this request. So what information exactly is sent in such a HTTP background request?
AFAICT HTTPS-Only Mode is enabled in all windows in all 3 security modes. The preference which controls whether or not a background HTTP request is sent (after an HTTPS request timeout) seems to be dom.security.https_only_mode_send_http_background_request. It looks like this used to be set to false in Safer and Safest security modes, but after this change it seems to be set to true in all 3 security modes (when I open TB in each of the 3 modes it is set to true). Is this right and if so why the change?
Apologies if this is a non issue and/or has been covered elsewhere, but I am seeing the above page frequently on one particular blog platform and just want to make sure I’m not leaking any sensitive info there. Thanks.