HTTPS is forced on third-level domains after visiting the second-level domain via HTTPS




7 years ago
7 years ago


(Reporter: morpheus3k+bugzilla, Unassigned)


9 Branch

Firefox Tracking Flags

(Not tracked)




7 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0
Build ID: 20111109112850

Steps to reproduce:

I am running two different web server (with two different IP addresses). The first runs my second-level domain ( and the second runs a third-level domain ( My main web server ( is reachable via HTTP (Port 80) and via HTTPS (Port 443). Additionally I send the header for HTTP Strict Transport Security (HSTS). Therefore HTTP requests to my main server (second-level domain: get automatically changed to HTTPS requests by Firefox.
My second web server (third-level domain: is just running HTTP (Port 80) and does not running SSL based HTTPS on Port 443.
I try to access my website.

Actual results:

I got the Firefox message "The connection has timed out".
After investigation I found that Firefox tries to access But on the second server I do not run HTTPS (Port 443).

Expected results:

The Browser should have accessed Port 80 for the third-level domain (


7 years ago
OS: Windows 7 → All
Hardware: x86_64 → All
What is the exact STS header sent by your site?
And better yet, are there public URIs for these two servers that would let me just get that information myself?

Comment 3

7 years ago
"Strict-Transport-Security	max-age=2592000; includeSubdomains"

that's embarrasing. I haven't checked this header. Sorry for your time. My fault!
No problem.  Thanks for double-checking that!
Last Resolved: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.