disabling "forced https" by Firefox 95 fails; cannot visit an unencrypted http web page
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: s.egbert, Unassigned)
References
()
Details
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Steps to reproduce:
On Firefox 92, 93, and 94, I am unable to visit http://egbert.net:80/ in an unsecured manner.
[http://egbert.net:80/ http://egbert.net:80/]
This website hosts BOTH secured AND unsecured HTML pages and NO REDIRECT enabled.
Actual results:
Redirected BY FIREFOX to https://egbert.net/
As confirmed by Wireshark showing that Firefox 94 started with port 443 right out the starting gate.
Expected results:
Visit an unencrypted website.
I've already tried the following Firefox 94 settings to no avail:
- (hamburger)->Settings->Privacy&Security->Don’t enable HTTPS-Only Mode
- dom.security.https_only_mode_send_http_background_request = false
- network.dns.disablePrefetchFromHTTPS = false
- network.dns.httpssvc.reset_exclustion_list = false
- network.dns.upgrade_with_https_rr = false
- network.dns.use_https_rr_as_altsvc = false
- plugins.http_https_only = false
- security.disallow_privileged_https_stylesheet_loads = false
- security.disallow_privileged_https_subdocuments_loads = false
- browser.urlbar.autoFill = false
What else do I have to do to turn off this port 443 for this website?
|
||
Comment 1•3 years ago
|
||
The site has HSTS enabled. Closing as Invalid.
You shouldn't do the following for security reasons.
Set network.stricttransportsecurity.preloadlist to false. You may also need go into the History section of the Library, right-click the site and choose "Forget About This Site".
|
||
Comment 2•2 years ago
|
||
This is an incorrect resolution. The HSTS header only gets sent over HTTPS connections, so if the preload list is disabled, and all history has been cleared, then navigating to a website using http:// should not be redirecting to https://. I can confirm this in the dev console. The initial connection is sent as https://, even though the preload list is disabled and there is no history. Something is doing the redirection and there is no clear explanation as to a) why this incorrect behavior exists and b) how to disable it.
|
||
Comment 3•2 years ago
|
||
I'm not seeing that site redirect to https:// - it stays on http://.
|
|
||
Comment 4•2 years ago
|
||
Yes, now I am able to navigate directly to that site using http://. However, I noticed a strange behavior: the network.stricttransportsecurity.preloadlist setting doesn't seem to be recognized when Firefox is configured to never remember history. If I go to The Privacy & Security settings, and set "Firefox will [Never remember history]", I am unable to navigate to that website using http://, even with network.stricttransportsecurity.preloadlist set to false.
I recreated this behavior in a VM with a fresh install of Fedora 36. Is this behavior intentional?
|
|
||
Comment 5•2 years ago
|
||
I can also confirm this behavior when opening http://egbert.net in a private window. Even if network.stricttransportsecurity.preloadlist is set to false, and my history is empty, I am redirected to https:// automatically when browsing from a private window.
|
|
||
Comment 6•2 years ago
|
||
It has nothing to do with the HSTS preload list. I don't know why private windows behave differently. Perhaps that's a bug.
|
||
Comment 7•2 years ago
•
|
||
(In reply to whelderwheels613 from comment #4)
If I go to The Privacy & Security settings, and set "Firefox will [Never remember history]", I am unable to navigate to that website using
http://, even withnetwork.stricttransportsecurity.preloadlistset to false.
That setting puts you in "permanent private browsing" mode. In Private Browsing there is the "HTTPS first" setting dom.security.https_first_pbm which was not one of the prefs you disabled in comment 0.
There is a per-site exception mechanism for HTTP Only that we are working on bringing to HTTP First.
|
|
||
Updated•2 years ago
|
Description
•