Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

HTTPS-only exception list

  • 3 replies
  • 1 has this problem
  • 1 view
  • Last reply by cor-el

more options

I have enabled HTTPS-only to everywhere.

Unfortunately I have a site that I need to use for work. The site is only available over a VPN, so security isn't a huge concern to the site operators.

The really unfortunately part is that the webserver seems to be poorly configured. So if I go to "https://dumb-work-url.com" then it resolves, but then just shows me a 404 error. I really need just vanilla "http://dumb-work-url.com" to work. As far as I can tell the override option that is on the padlock only works if I land on the functioning page.

I can disable HTTPS-only, and then go to the site, but then the padlock doesn't give me the option to disable HTTPS-only for just that website. I'd really rather keep HTTPS-only on all the time since I'll need to be visiting this site quite a bit.

I need a way to add this url to an HTTPS-only "off" exception list before I visit it. Is there a way to do that?

on the https site, I turned off HTTPS-only (under the padlock), but that setting either isn't working, or isn't applying to the http version.

I have enabled HTTPS-only to everywhere. Unfortunately I have a site that I need to use for work. The site is only available over a VPN, so security isn't a huge concern to the site operators. The really unfortunately part is that the webserver seems to be poorly configured. So if I go to "https://dumb-work-url.com" then it resolves, but then just shows me a 404 error. I really need just vanilla "http://dumb-work-url.com" to work. As far as I can tell the override option that is on the padlock only works if I land on the functioning page. I can disable HTTPS-only, and then go to the site, but then the padlock doesn't give me the option to disable HTTPS-only for just that website. I'd really rather keep HTTPS-only on all the time since I'll need to be visiting this site quite a bit. I need a way to add this url to an HTTPS-only "off" exception list before I visit it. Is there a way to do that? on the https site, I turned off HTTPS-only (under the padlock), but that setting either isn't working, or isn't applying to the http version.

All Replies (3)

more options

Firefox's HTTPS-only setting automatically opens all sites in HTTPS and displays an error if the HTTPS connection cannot be made. The override option is on a per-site basis, so you will still need to land on the site to disable HTTPS-only.

Alternatively, you could use HTTPS Everywhere extension instead which is based on a ruleset. This will not forcibly upgrade your work site to HTTPS since it does not appear on the list while still maintaining HTTPS everywhere else.

more options

I used to use HTTPS Everywhere. I actually just removed it in favor of the built in Firefox behavior. All it is missing is the ability to toggle off HTTPS-only for a site with out requiring one to actually visit the site first.

As it turns out I have a solution, but it involves poking around in your firefox internals. I'm sure all the usual warnings about "you break it, you bought it" applies here.

I discovered that the site specific HTTPS-only settings are stored in $profile/permissions.sqlite. I closed firefox and inserted a new row that looks something like this:

"4375,http:${url},https-only-load-insecure,1,0,0,1617224928601"

I would love to see a better way to add exceptions rather than fiddling with sqlite files.

more options

You can possibly use code in the Browser Console (not the Web Console) to add or remove "https-only-load-insecure" exceptions.


const HTTPS_ONLY_PERMISSION = "https-only-load-insecure";
var myOrigins = ['http://example.com', 'http://example.org'];
function addException(uri){
Services.perms.addFromPrincipal(Services.scriptSecurityManager.createContentPrincipalFromOrigin(uri),HTTPS_ONLY_PERMISSION,1,0);
}
for (var i=0; i<myOrigins.length; i++) addException(myOrigins[i]);


const HTTPS_ONLY_PERMISSION = "https-only-load-insecure";
var myOrigins = ['http://example.com', 'http://example.org'];
function removeException(uri){
Services.perms.removeFromPrincipal(Services.scriptSecurityManager.createContentPrincipalFromOrigin(uri), HTTPS_ONLY_PERMISSION);
}
for (var i=0; i<myOrigins.length; i++) removeException(myOrigins[i]);