702936 - HTTPS is forced on third-level domains after visiting the second-level domain via HTTPS

Status: RESOLVED INVALID

(Core :: Networking, defect)

Description

[Morpheus3k]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0
Build ID: 20111109112850

Steps to reproduce:

I am running two different web server (with two different IP addresses). The first runs my second-level domain (example.org) and the second runs a third-level domain (test.example.org). My main web server (example.org) is reachable via HTTP (Port 80) and via HTTPS (Port 443). Additionally I send the header for HTTP Strict Transport Security (HSTS). Therefore HTTP requests to my main server (second-level domain: example.org) get automatically changed to HTTPS requests by Firefox.
My second web server (third-level domain: test.example.org) is just running HTTP (Port 80) and does not running SSL based HTTPS on Port 443.
I try to access my test.example.org website.


Actual results:

I got the Firefox message "The connection has timed out".
After investigation I found that Firefox tries to access test.example.org:443. But on the second server I do not run HTTPS (Port 443).


Expected results:

The Browser should have accessed Port 80 for the third-level domain (test.example.org).

Comment 1

[Boris Zbarsky [:bzbarsky]]

What is the exact STS header sent by your example.org site?

Comment 2

[Boris Zbarsky [:bzbarsky]]

And better yet, are there public URIs for these two servers that would let me just get that information myself?

Comment 3

[Morpheus3k]

"Strict-Transport-Security	max-age=2592000; includeSubdomains"

that's embarrasing. I haven't checked this header. Sorry for your time. My fault!

Comment 4

[Boris Zbarsky [:bzbarsky]]

No problem.  Thanks for double-checking that!