I'm sorry this has taken so long to get to our team. But I'm a bit confused because your symptoms don't seem to match what I'd expect to happen from https-first.the right team -- if it *is* the right team. Your symptoms don't seem to match either https-only or https-first modes. "HTTPS Only" is an option in preferences (at the bottom of the privacy and scurity pane). In this off-by-default mode you should get an error page when you go to the https:// version of your router, and the explicit option to disable upgrades for that "domain" on that error page and via the permission icon in the address bar. Your symptoms don't sound like this. "HTTPS First" will first try an https: connection, but if there's an explicit cert or connection failure or if it doesn't get an answer in a short timeout (3 seconds maybe?) it will revert back to using http: as originally requested. Since your actual results step 3 says it won't connect that doesn't sound at all like HTTPS First. Also, HTTPS First is only enabled in private browsing, and your comment 4 says you tried a private window which implies most of the time you don't use a private window. There's silent "always in private browsing" if you disable saving history, but since you talk about having history to remove I'll assume that's not the issue either. You removed history, but did you remove *the cache*? Site redirects (such as http: to https:) would be saved in the cache, though if you don't actually have a server at the https port then I don't know why the router would issue a redirect. There's also the Strict-Transportation-Security header that will remember to always use https: for a certain site, but that can't be set by a site unless you connect to it once over https:. You'd have to "forget about this site" to get rid of that setting. In addition to all of the above, https-only and https-first ALREADY don't upgrade localhost or local IP addresses. There's a hidden pref where people can turn on upgrading local IP addresses but it's off by default https://searchfox.org/mozilla-central/rev/1865e9fba4166ab2aa6c9d539913115723d9cc53/modules/libpref/init/StaticPrefList.yaml#3655-3659 And we NEVER upgrade localhost to https https://searchfox.org/mozilla-central/rev/1865e9fba4166ab2aa6c9d539913115723d9cc53/dom/security/nsHTTPSOnlyUtils.cpp#747-771 Something else is going on. Is this still happening? It might be a security addon like "HTTPS Everywhere", though presumably you would have thought of that since that's the whole point of installing that one. It might also be a security proxy doing it, perhaps installed with an anti-virus product? If you're a protonmail user you might be more likely than the average person to have other security and privacy products installed.
Bug 1767588 Comment 6 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I'm sorry this has taken so long to get to our team. But I'm a bit confused because your symptoms don't seem to match what I'd expect to happen from either https-only or https-first modes. "HTTPS Only" is an option in preferences (at the bottom of the privacy and scurity pane). In this off-by-default mode you should get an error page when you go to the non-connecting https:// version of a site, and the explicit option to disable upgrades for that "domain" on that error page and via the permission icon in the address bar. Your symptoms don't sound like this. "HTTPS First" will first try an https: connection, but if there's an explicit cert or connection failure or if it doesn't get an answer in a short timeout (3 seconds maybe?) it will revert back to using http: as originally requested. Since your actual results step 3 says it won't connect that doesn't sound at all like HTTPS First. Also, HTTPS First is only enabled in private browsing, and your comment 4 says you additionally tried a private window which implies most of the time you don't use a private window. There's silent "always in private browsing" if you disable saving history, but since you talk about having history to remove I'll assume that's not the issue either. You removed history, but did you remove *the cache*? Site redirects (such as http: to https:) would be saved in the cache, though if you don't actually have a server at the https port then I don't know why the router would issue a redirect. There's also the Strict-Transportation-Security header that will remember to always use https: for a certain site, but that can't be set by a site unless you connect to it once over https:. You'd have to "forget about this site" to get rid of that setting. In addition to all of the above, https-only and https-first ALREADY don't upgrade localhost or local IP addresses. There's a hidden pref where people can turn on upgrading local IP addresses but it's off by default https://searchfox.org/mozilla-central/rev/1865e9fba4166ab2aa6c9d539913115723d9cc53/modules/libpref/init/StaticPrefList.yaml#3655-3659 And we NEVER upgrade localhost to https https://searchfox.org/mozilla-central/rev/1865e9fba4166ab2aa6c9d539913115723d9cc53/dom/security/nsHTTPSOnlyUtils.cpp#747-771 Something else is going on. Is this still happening? It might be a security addon like "HTTPS Everywhere", though presumably you would have thought of that since that's the whole point of installing that one. It might also be a security proxy doing it, perhaps installed with an anti-virus product? If you're a protonmail user you might be more likely than the average person to have other security and privacy products installed.