Follow-up from "Set "browser.fixup.alternate.enabled" to true in librewolf.cfg"

The following discussion from !44 (closed) should be addressed:

• @FaridZelli started a discussion: (+1 comment)

  Hey @fxbrit, thanks for the reply! I read throughout issue #180 (closed) as you have linked, and I think there has been a misunderstanding regarding the entry.

  Please excuse me if I make mistakes, as I'm not a programmer nor a developer by any means.

  In your first comment here, you brought up a line from the arkenfox user.js profile which brings up the subject of domain name guessing. And later on, a document from the Mozilla Archive explaining the feature's relation with browser.fixup.alternate.enabled as well as the neighboring preferences.

  As I haven't seen this behavior in a desktop browser for a very long time, I had a look at Firefox's source code and landed on URIFixup.jsm. If you have a closer look at the corresponding function of alternateEnabled at line 749, it seems that all the toggle really does is append a custom suffix and prefix rather than performing any form of brute-force domain guessing. And if you examine the comment above, it clearly states:

  This generates an alternate fixedURI, by adding a prefix and a suffix to
   * the fixedURI host, if and only if the protocol is http. It should _never_
   * modify URIs with other protocols.

  Therefore, as the default protocol in the config is already HTTPS, I believe this was accounted for when the feature was introduced in this bugzilla report from December of 2020 as I mentioned earlier.

  So as it seems, this function no longer has any effect on autocompletion nor domain name guessing as of current builds of Firefox, simply serving as the master toggle for the recently introduced optional Suffix / Prefixes for search shortcuts (Mainly Ctrl+Return).

  And finally, I couldn't help but notice that the document you linked to in the previous issue is in fact an archive from April 21, 2008, with most of the details coming from the Firefox 3.0 era.

  If you do happen to have time, could you please reconsider looking into this feature more in-depth?
  The main reason I have much care for this one toggle is because of nation-wide phishing attacks being carried out by the Iranian government to gain access to citizen's social media accounts by the masses, mainly leveraging HTTP vulnerabilities. Using the Ctrl+Return shortcut on LibreWolf with the current HTTP prefix results in having to manually bypass a "Continue to HTTP website" warning every single time when on HTTPS-Only mode.

  TL;DR: Endorsing HTTP is not a safe practice in countries without basic internet freedom rights.
  Again, sorry if I made (a lot) of mistakes. Would be glad to be corrected wherever I'm wrong.