Safari 6 degrades https to http upon pasting into omnibar
||Product Version:||6.0 (8536.25)|
When pasting a part of a URL replacing an existing part into Safari's omnibar of a page accessed via https the protocol is automatically degraded to http resulting in an unencrypted connection made.
Steps to Reproduce:
Access a Website via https with one or multiple path components.
For example: https://www.google.com/intl/en/policies/
Make sure you're using httpS
Copy the string “at” (without quotes) to your pasteboard. Klick into the terribly omnibar in Safari 6. Doubleclick the URL part en and paste the string at from your pasteboard. Hit return to load the manually corrected URL.
The next request is sent over http without SSL instead of https.
The protocol should NEVER change just by editing a non-protocol part of any URL by hand. It should also NOT automatically downgrade from https to http just by pasting text that doesn't explicitly contain http://
Safari 6 silently degrades https to http without any reason leaking all GET parameters by not using the expected encryption.
When selecting a part in the URL then typing over does not degrade protocol. This only happens when PASTING text.
Tested only under OS X 10.8 Mountain Lion 12A269. Haven't tried Safari 6 under 10.7.x Kion.
This is independent of the certificate used by the site. No matter if self-signed, standard SSL or even SSL with extended validation.
Original discovery of this behavior by Andreas Fuchs, I'm just filing the appropriate radar.
Reports posted here will not necessarily be seen by Apple.
All problems should be submitted at bugreport.apple.com before they are posted here.
Please only post information for Radars that you have filed yourself, and please do
not include Apple confidential information in your posts. Thank you!