Stop firefox from forcing https:// even with autofill false
Hello,
When I request Firefox to open a webpage on my own website using the http:// protocol Firefox still uses the https:// protocol. This is on my own website so I have control over the redirect/rewrite settings and there is no setting that I know off. Furthermore Internet Explorer just loads the page via http:// when I type the URL in the address bar. Chrome does it fine as well.
I have tried disabling the autoFill and autocomplete for the URLbar, I even cleared my history. I have also check with the developer tools (F12) and the NET console, Firefox never requests the page using http:// but directly using https:// despite my efforts typing the URL with http://.
"browser.urlbar.autoFill": false, "browser.urlbar.trimURLs": false, "browser.urlbar.autoFill.typed": false, "browser.urlbar.autocomplete.enabled": false,
I have checked with an external site for the headers and they are just 200 OK for the http url I'm trying to reach.
If need I can write the link so you can test for yourself.
Thanks for your help. Regards
Gekozen oplossing
Are there any parts of your site where you use HTTPS? Sometimes an administrative page will send Firefox a header indicating that it must always use HTTPS ("Strict Transport Security"), and that is remembered for the entire domain, even for pages that should not use HTTPS.
If you think this is a possibility, to clear that setting, you can try this:
In the Library dialog (Ctrl+Shift+h), right-click a history entry for your server and choose Forget About This Site. This will clear the permission/restriction settings for the site, as well as history, cookies, and any bookmarks to the site.
If you don't want to lose all those items, there is a more roundabout way to do it. Please see this post and the one following: https://support.mozilla.org/questions/984794#answer-528146
Dit antwoord in context lezen 👍 2Alle antwoorden (4)
Gekozen oplossing
Are there any parts of your site where you use HTTPS? Sometimes an administrative page will send Firefox a header indicating that it must always use HTTPS ("Strict Transport Security"), and that is remembered for the entire domain, even for pages that should not use HTTPS.
If you think this is a possibility, to clear that setting, you can try this:
In the Library dialog (Ctrl+Shift+h), right-click a history entry for your server and choose Forget About This Site. This will clear the permission/restriction settings for the site, as well as history, cookies, and any bookmarks to the site.
If you don't want to lose all those items, there is a more roundabout way to do it. Please see this post and the one following: https://support.mozilla.org/questions/984794#answer-528146
It's actually Wordpress, and yes I have setup the option for using HTTPS to login to the administrative part. I'm not logged at the moment.
So it's true that a certain part of the website does automatically use HTTPS.
I have tried your suggesting and it works after forgetting the site and restarting firefox.
I then read the other topic, and indeed I have configured STS on the webserver config. I have changed the config after reading more about Strict-Transport-Security and it's purpose, clearly I should have done that before configuring it.
So thank you, for your excellent help!
I started having this problem with my web page last night, making it impossible to use the page at all with Firefox. It works perfectly with Chrome, or *gag, retch* Internet Exposure.
A sample link is http://www.calweb.com/~mvp/unicode.html
The problem exists with every page in my directory.
I brought up the history and clicked "forget" on calweb.com.
I installed SQLite Manager, and went through every single SQLite database and table, doing a complete search-and-destroy on any URL that mentioned calweb.
It is still forcing https when I type http, with the result that I get a 404. (Unfortunately, I have no control over how Calweb handles https. They return a 404 on user pages that attempt https.)
Hi mikevp,
You have the same problem I had. When I click your link for the first time (using HTTP) there is no problem. When I manually change the URL to use HTTPS I get a 404 error page, but this error page has STS headers set. To explain it in short terms this STS header tells the browser that all webpages of this domain should always be opened using HTTPS. This is a security measure to stop man in the middle attacks using non-https pages. It really should only be set for really sensitive websites such as home banking.
The problem is that Firefox supports the STS header and as such will from now on only open pages on your domain using HTTPS. You can make firefox forget ever seeing this header by using the forget option (I had to do it twice), but you need to make sure firefox doesn't see the header the next time you try a HTTPS page on your domain.
If you are responsible for the configuration of the webserver, remove the STS option in the config. If it is your host tell them the problem and they should change the configuration.
PS: I have added a screenshot of the repsonse headers sent by the 404 error page that shows the STS header that is causing the trouble.
So to sum up, Firefox follows this strict security header, and it's not firefox's fault but the configuration of the webserver.