Firefix 25.0.1 forces SSL even when http:// is specified in the location bar
I own elbertkarsten.com and run non-SSL http servers on ports 80 and 8080. I also run a SSL http server on port 443.
If I exactly type "http://elbertkarsten.com/" Firefox changes the protocol to https and issues an SSL request to my webserver over port 443.
If I specify a port (80 or 8080), Firefox will change the protocol to https and issue an SSL request over that port.
My server logs no redirects. This is entirely Firefox's behavior. I am able to use the same URL with wget and there is no protocol changing problems.
If I specify a protocol I would expect it to be used.
Ọ̀nà àbáyọ tí a yàn
I believe I found the issue. My server has a canned PHP application on it that I run over SSL (and everything else over standard HTTP). That PHP application is setting the Strict-Transport-Security header, which Firefox is handling correctly.
It would seem my only recourse is to move the SSL application to a different domain or prevent it from setting that header.
Thanks to everyone who took the time to respond.
Ka ìdáhùn ni ìṣètò kíkà 👍 0All Replies (15)
hello danelbert, you might want to try the following: enter about:config into the firefox address bar (confirm the info message in case it shows up) & search for the preference named browser.urlbar.autoFill. double-click it and change its value to false.
The setting changes nothing. And even if it did, how would it ever be acceptable for the browser to ignore the protocol of a URL?
i don't think this is an intended way of how firefox works. can you try to replicate this behaviour when you launch firefox in safe mode once?
Troubleshoot extensions, themes and hardware acceleration issues to solve common Firefox problems
if so, you might want to go ahead and file a bug at bugzilla.mozilla.org
Unfortunately, I get the same behavior in safe mode. I'll submit this to the bug tracker.
Thanks for your help, philipp. I really appreciate the quick responses.
Firefox can force a secure HTTPS connection if you've ever visited a page on a website via a secure connection and auto-fill is enabled.
If this is happening then you need to remove all https visit items to that domain from the history and possibly also clear the cache if you want to use a normal http connection.
Is the problem only in the address bar or are you redirected when using either of these:
- bookmark
- history entry (e.g., from History > Show All History)
cor-el: Auto-fill is disabled, as I said earlier in this thread. Even if it was not disabled, what you described as a "fix" or "workaround" is neither. If I type a URI protocol into the address bar and Firefox ignores it completely, Firefox is not functioning correctly.
jscher2000: Good question. I've already cleared my history, so I no longer have any http items there (and can't create new ones), but any bookmark I create exhibits the same faulty behavior.
To bypass cookies, could you try the site in a new private window? Not sure exactly where that is in the menus on Mac, but possibly Command+Shift+p will call it up.
Ọ̀nà àbáyọ Tí a Yàn
I believe I found the issue. My server has a canned PHP application on it that I run over SSL (and everything else over standard HTTP). That PHP application is setting the Strict-Transport-Security header, which Firefox is handling correctly.
It would seem my only recourse is to move the SSL application to a different domain or prevent it from setting that header.
Thanks to everyone who took the time to respond.
One other way around might be to use the "Forget About This Site" feature to cleanse the permissions file of the site-specific STS setting. This feature also removes bookmarks, history, cookies, and anything else site-specific. You can access that feature using either:
- History Sidebar (command+shift+h) > right-click context menu
- Library dialog (History > Show All History) > right-click context menu
- about:permissions page (type or paste about:permissions in the address bar and press Enter, after the list loads, select the site, then look for the Forget button in the upper right of the page)
Has this been added to bugzilla? I find it distasteful that deleting your browsing history is marked as "solution".
this is not a bug but a security measure on the server-side working as intended, as the original question owner has discovered: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
It definitely is not a feature. If the user explicitly requires something, the browser should comply, not silently subvert their wishes and redirect them to a page that may not work without even a smallest notification.
Hi KrzaQ, which problem are you having?
- Firefox's address bar autofill feature is changing http to https (there is a setting to disable the address bar autofill feature)
- Website sent an "always use HTTPS" header that Firefox is obeying (the problem experienced by the original poster in this thread)
- Some other issue
"Firefox's address bar autofill feature is changing http to https (there is a setting to disable the address bar autofill feature) " Tried that, doesn't work for me. Tried pasting/writing, with and without trailing slash. Wouldn't work at all.
"Website sent an "always use HTTPS" header that Firefox is obeying (the problem experienced by the original poster in this thread)" Most likely this. I'm not getting any feedback except for seemingly automatic redirect. I'm using my history for more than just the awesomebar suggestions, so removing it is not an option. I'd really like it if there was at last some information provided (like a non-modal popup "Hey! We're doing something you didn't want, but it's okay, we know what you want better than you do!"), and possibly an option to ignore this for certain webisites.