1446872 - Firefox forces https connection on a local domain

Status: RESOLVED DUPLICATE of bug 1436292

(Firefox :: Untriaged, defect)

Description

[Gabriel]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180315233128

Steps to reproduce:

Changed Windows 10 hosts file to add a local domain:
File:
Windows\System32\drivers\etc\hosts
Added:
127.0.0.1 localhost.dev
127.0.0.1 www.localhost.dev


Actual results:

After the update to the 59 branch, whenever I try to access my local development server (Apache) by typing http://www.localhost.dev/, Firefox will automatically open https://www.localhost.dev/.
When https is disabled on that location, a site inaccessible message is displayed. When https is enabled, a SEC_ERROR_UNKNOWN_ISSUER is displayed without any option to add an exception.

- the cache is cleared just before testing it
- tested with MS Edge and the problem didn't happen
- url autofill is disabled
- the problem doesn't happen in other websites or using direct ip access 127.0.0.1
- request headers before opening https version:
Host: www.localhost.dev
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive



Expected results:

The connection should have been made to the http site as usual.

Comment 1

[[:philipp]]

hi, please see:
https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/
https://medium.engineering/use-a-dev-domain-not-anymore-95219778e6fd

tldr: .dev is a tld belonging to google and they have put it on a list of sites to always use strict transport security & that list will be preloaded with various browsers.