X
Tap here to go to the mobile version of the site.

Support Forum

Stop firefox from forcing https:// even with autofill false

Posted

Hello,

When I request Firefox to open a webpage on my own website using the http:// protocol Firefox still uses the https:// protocol. This is on my own website so I have control over the redirect/rewrite settings and there is no setting that I know off. Furthermore Internet Explorer just loads the page via http:// when I type the URL in the address bar. Chrome does it fine as well.

I have tried disabling the autoFill and autocomplete for the URLbar, I even cleared my history. I have also check with the developer tools (F12) and the NET console, Firefox never requests the page using http:// but directly using https:// despite my efforts typing the URL with http://.

   "browser.urlbar.autoFill": false,
   "browser.urlbar.trimURLs": false,
   "browser.urlbar.autoFill.typed": false,
   "browser.urlbar.autocomplete.enabled": false,

I have checked with an external site for the headers and they are just 200 OK for the http url I'm trying to reach.

If need I can write the link so you can test for yourself.

Thanks for your help. Regards

Hello, When I request Firefox to open a webpage on my own website using the http:// protocol Firefox still uses the https:// protocol. This is on my own website so I have control over the redirect/rewrite settings and there is no setting that I know off. Furthermore Internet Explorer just loads the page via http:// when I type the URL in the address bar. Chrome does it fine as well. I have tried disabling the autoFill and autocomplete for the URLbar, I even cleared my history. I have also check with the developer tools (F12) and the NET console, Firefox never requests the page using http:// but directly using https:// despite my efforts typing the URL with http://. "browser.urlbar.autoFill": false, "browser.urlbar.trimURLs": false, "browser.urlbar.autoFill.typed": false, "browser.urlbar.autocomplete.enabled": false, I have checked with an external site for the headers and they are just 200 OK for the http url I'm trying to reach. If need I can write the link so you can test for yourself. Thanks for your help. Regards

Chosen solution

Are there any parts of your site where you use HTTPS? Sometimes an administrative page will send Firefox a header indicating that it must always use HTTPS ("Strict Transport Security"), and that is remembered for the entire domain, even for pages that should not use HTTPS.

If you think this is a possibility, to clear that setting, you can try this:

In the Library dialog (Ctrl+Shift+h), right-click a history entry for your server and choose Forget About This Site. This will clear the permission/restriction settings for the site, as well as history, cookies, and any bookmarks to the site.

If you don't want to lose all those items, there is a more roundabout way to do it. Please see this post and the one following: https://support.mozilla.org/questions/984794#answer-528146

Read this answer in context 2

Additional System Details

Installed Plug-ins

  • Next Generation Java Plug-in 11.25.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Shockwave Flash 15.0 r0
  • Google Update
  • NVIDIA 3D Vision plugin for Mozilla browsers
  • NVIDIA 3D Vision Streaming plugin for Mozilla browsers
  • Battlelog Game Launcher (2.4.0)
  • 5.1.30514.0
  • BiddingTraveler Autobid
  • Winamp Application Detector
  • GEPlugin
  • VMware Remote Console Plug-in
  • DYMO Label Framework Plugin
  • NPWLPG
  • VMware Remote Console and Client Integration Plug-in
  • Windows Activation Technologies Plugin for Mozilla
  • Garmin Communicator Plug-In 2.6.3.0

Application

  • Firefox 31.0
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
  • Support URL: https://support.mozilla.org/1/firefox/31.0/WINNT/nl/

Extensions

  • Adblock Plus 2.6.5 ({d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d})
  • Add-on Compatibility Reporter 2.0.4 (compatibility@addons.mozilla.org)
  • Color Management 0.5.3 (color_management@seanhayes.name)
  • DNS Flusher 3.0.1 ({7d575baa-b543-11dc-8314-0800200c9a66})
  • Exif Viewer 2.00 (exif_viewer@mozilla.doslash.org)
  • Google Translator for Firefox 2.1.0.3m (translator@zoli.bod)
  • IE View 1.5.6 ({6e84150a-d526-41f1-a480-a67d3fed910d})
  • Image Zoom 0.6.3 ({1A2D0EC4-75F5-4c91-89C4-3656F6E44B68})
  • Saved Password Editor 2.7.3 (savedpasswordeditor@daniel.dawson)
  • The Bidding Traveler Autobid 1.0.74 ({5b6174e1-e579-41de-8b6b-85030765bec0})
  • Troubleshooter 1.1a (troubleshooter@mozilla.org)
  • avast! Online Security 9.0.2021.112 (wrc@avast.com) (Inactive)
  • ClipConverter Desktop 1.1.2 (desktop@clipconverter.cc) (Inactive)
  • Cookies Manager+ 1.5.2 ({bb6bc1bb-f824-4702-90cd-35e2fb24f25d}) (Inactive)
  • EventBug 0.1b10 (eventbug@getfirebug.com) (Inactive)
  • Firebug 2.0.4 (firebug@software.joehewitt.com) (Inactive)
  • Firecookie 1.4 (firecookie@janodvarko.cz) (Inactive)
  • FirePHP 0.7.4 (FirePHPExtension-Build@firephp.org) (Inactive)
  • FireStarter 0.1a6 (firestarter@getfirebug.com) (Inactive)
  • Flagfox 5.0.8 ({1018e4d6-728f-4b20-ad56-37578a4de76b}) (Inactive)
  • Garmin Communicator 4.2.0.0 ({195A3098-0BD5-4e90-AE22-BA1C540AFD1E}) (Inactive)
  • ImageHost Grabber 1.6.5.5 ({E4091D66-127C-11DB-903A-DE80D2EFDFE8}) (Inactive)
  • Logitech Scroll App 2.00 ({5D3F3872-91E9-4d59-AD9F-AA174A3145DD}) (Inactive)
  • Page Speed 1.12.9.2 ({e3f6c2cc-d8db-498c-af6c-499fb211db97}) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: NVIDIA GeForce GTX 760
  • adapterDescription2:
  • adapterDeviceID: 0x1187
  • adapterDeviceID2:
  • adapterDrivers: nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
  • adapterDrivers2:
  • adapterRAM: 2048
  • adapterRAM2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • clearTypeParameters: Gamma: 2200 Pixel Structure: R ClearType Level: 50 Enhanced Contrast: 50
  • direct2DEnabled: False
  • direct2DEnabledMessage: [u'']
  • directWriteEnabled: False
  • directWriteVersion: 6.2.9200.16571
  • driverDate: 9-13-2014
  • driverDate2:
  • driverVersion: 9.18.13.4411
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'skia', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'cairo', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 0
  • numAcceleratedWindowsMessage: [u'']
  • numTotalWindows: 1
  • webglRenderer: Google Inc. -- ANGLE (NVIDIA GeForce GTX 760 Direct3D9Ex vs_3_0 ps_3_0)
  • windowLayerManagerRemote: False
  • windowLayerManagerType: Basic

Modified Preferences

  • accessibility.typeaheadfind: True
  • accessibility.typeaheadfind.flashBar: 0
  • browser.cache.disk.capacity: 153600
  • browser.cache.disk.smart_size.enabled: False
  • browser.cache.disk.smart_size.first_run: False
  • browser.cache.disk.smart_size.use_old_max: False
  • browser.cache.frecency_experiment: 3
  • browser.history_expire_days.mirror: 180
  • browser.places.importBookmarksHTML: False
  • browser.places.importDefaults: False
  • browser.places.leftPaneFolderId: -1
  • browser.places.migratePostDataAnnotations: False
  • browser.places.smartBookmarksVersion: 7
  • browser.places.updateRecentTagsUri: False
  • browser.search.useDBForOrder: True
  • browser.sessionstore.max_tabs_undo: 5
  • browser.sessionstore.restore_on_demand: False
  • browser.sessionstore.upgradeBackup.latestBuildID: 20140716183446
  • browser.startup.homepage_override.buildID: 20140716183446
  • browser.startup.homepage_override.mstone: 31.0
  • browser.tabs.warnOnClose: False
  • browser.urlbar.autocomplete.enabled: False
  • browser.urlbar.autoFill: False
  • browser.urlbar.autoFill.typed: False
  • browser.urlbar.trimURLs: False
  • dom.ipc.plugins.enabled.npcoolirisplugin.dll: False
  • dom.max_script_run_time: 1800
  • dom.mozApps.used: True
  • dom.w3c_touch_events.expose: False
  • extensions.checkCompatibility: False
  • extensions.checkCompatibility.10.0: False
  • extensions.checkCompatibility.10.0a: False
  • extensions.checkCompatibility.11.0: False
  • extensions.checkCompatibility.11.0a: False
  • extensions.checkCompatibility.12.0: False
  • extensions.checkCompatibility.12.0a: False
  • extensions.checkCompatibility.3.6: False
  • extensions.checkCompatibility.3.6.previous: False
  • extensions.checkCompatibility.3.6b: False
  • extensions.checkCompatibility.3.6b.previous: False
  • extensions.checkCompatibility.3.6p: False
  • extensions.checkCompatibility.3.6p.previous: False
  • extensions.checkCompatibility.3.6pre: False
  • extensions.checkCompatibility.3.6pre.previous: False
  • extensions.checkCompatibility.3.7a: False
  • extensions.checkCompatibility.3.7a.previous: False
  • extensions.checkCompatibility.4.0: False
  • extensions.checkCompatibility.4.0.previous: False
  • extensions.checkCompatibility.4.0b: False
  • extensions.checkCompatibility.4.0b.previous: False
  • extensions.checkCompatibility.4.0p: False
  • extensions.checkCompatibility.4.0p.previous: False
  • extensions.checkCompatibility.4.0pre: False
  • extensions.checkCompatibility.4.0pre.previous: False
  • extensions.checkCompatibility.4.2: False
  • extensions.checkCompatibility.4.2.previous: False
  • extensions.checkCompatibility.4.2a: False
  • extensions.checkCompatibility.4.2a.previous: False
  • extensions.checkCompatibility.4.2b: False
  • extensions.checkCompatibility.4.2b.previous: False
  • extensions.checkCompatibility.4.2p: False
  • extensions.checkCompatibility.4.2p.previous: False
  • extensions.checkCompatibility.4.2pre: False
  • extensions.checkCompatibility.4.2pre.previous: False
  • extensions.checkCompatibility.5.0: False
  • extensions.checkCompatibility.5.0.previous: False
  • extensions.checkCompatibility.5.0a: False
  • extensions.checkCompatibility.5.0a.previous: False
  • extensions.checkCompatibility.5.0b: False
  • extensions.checkCompatibility.5.0b.previous: False
  • extensions.checkCompatibility.5.0p: False
  • extensions.checkCompatibility.5.0p.previous: False
  • extensions.checkCompatibility.5.0pre: False
  • extensions.checkCompatibility.5.0pre.previous: False
  • extensions.checkCompatibility.6.0: False
  • extensions.checkCompatibility.6.0.previous: False
  • extensions.checkCompatibility.6.0a: False
  • extensions.checkCompatibility.6.0a.previous: False
  • extensions.checkCompatibility.7.0: False
  • extensions.checkCompatibility.7.0.previous: False
  • extensions.checkCompatibility.7.0a: False
  • extensions.checkCompatibility.7.0a.previous: False
  • extensions.checkCompatibility.8.0: False
  • extensions.checkCompatibility.8.0.previous: False
  • extensions.checkCompatibility.8.0a: False
  • extensions.checkCompatibility.8.0a.previous: False
  • extensions.checkCompatibility.9.0: False
  • extensions.checkCompatibility.9.0a: False
  • extensions.checkCompatibility.nightly: False
  • extensions.checkCompatibility.nightly.previous: False
  • extensions.checkCompatibility.previous: False
  • extensions.lastAppVersion: 31.0
  • font.internaluseonly.changed: False
  • font.minimum-size.x-western: 10
  • gfx.color_management.display_profile: C:\Windows\System32\spool\drivers\color\Fujitsu P27T-6 IPS OFFICEM NATIVEC.icm
  • gfx.color_management.enablev4: True
  • gfx.color_management.mode: 1
  • gfx.direct2d.disabled: True
  • gfx.direct3d.prefer_10_1: True
  • javascript.options.showInConsole: False
  • layers.acceleration.disabled: True
  • network.cookie.prefsMigrated: True
  • network.http.max-persistent-connections-per-proxy: 12
  • network.http.max-persistent-connections-per-server: 18
  • network.http.pipelining.maxrequests: 6
  • network.protocol-handler.warn-external.file: False
  • network.protocol-handler.warn-external.irc: False
  • network.protocol-handler.warn-external.mms: False
  • places.database.lastMaintenance: 1414014625
  • places.history.expiration.transient_current_max_pages: 104858
  • places.history.expiration.transient_optimal_database_size: 167772160
  • places.last_vacuum: 1295546646
  • plugin.disable_full_page_plugin_for_types: application/pdf
  • plugin.importedState: True
  • plugin.state.npadobeaamdetect: 0
  • plugin.state.npican: 0
  • privacy.cpd.cookies: False
  • privacy.cpd.sessions: False
  • privacy.sanitize.migrateFx3Prefs: True
  • privacy.sanitize.timeSpan: 0
  • security.disable_button.openCertManager: False
  • security.disable_button.openDeviceManager: False
  • security.warn_viewing_mixed: False
  • security.warn_viewing_mixed.show_once: False
  • storage.vacuum.last.index: 1
  • storage.vacuum.last.places.sqlite: 1413483705

Misc

  • User JS: Yes
  • Accessibility: No
jscher2000
  • Top 10 Contributor
8635 solutions 70627 answers

Chosen Solution

Are there any parts of your site where you use HTTPS? Sometimes an administrative page will send Firefox a header indicating that it must always use HTTPS ("Strict Transport Security"), and that is remembered for the entire domain, even for pages that should not use HTTPS.

If you think this is a possibility, to clear that setting, you can try this:

In the Library dialog (Ctrl+Shift+h), right-click a history entry for your server and choose Forget About This Site. This will clear the permission/restriction settings for the site, as well as history, cookies, and any bookmarks to the site.

If you don't want to lose all those items, there is a more roundabout way to do it. Please see this post and the one following: https://support.mozilla.org/questions/984794#answer-528146

Are there any parts of your site where you use HTTPS? Sometimes an administrative page will send Firefox a header indicating that it must always use HTTPS ("Strict Transport Security"), and that is remembered for the entire domain, even for pages that should not use HTTPS. If you think this is a possibility, to clear that setting, you can try this: In the Library dialog (Ctrl+Shift+h), right-click a history entry for your server and choose Forget About This Site. This will clear the permission/restriction settings for the site, as well as history, cookies, and any bookmarks to the site. If you don't want to lose all those items, there is a more roundabout way to do it. Please see this post and the one following: https://support.mozilla.org/questions/984794#answer-528146

Question owner

It's actually Wordpress, and yes I have setup the option for using HTTPS to login to the administrative part. I'm not logged at the moment.

So it's true that a certain part of the website does automatically use HTTPS.

I have tried your suggesting and it works after forgetting the site and restarting firefox.

I then read the other topic, and indeed I have configured STS on the webserver config. I have changed the config after reading more about Strict-Transport-Security and it's purpose, clearly I should have done that before configuring it.

So thank you, for your excellent help!

It's actually Wordpress, and yes I have setup the option for using HTTPS to login to the administrative part. I'm not logged at the moment. So it's true that a certain part of the website does automatically use HTTPS. I have tried your suggesting and it works after forgetting the site and restarting firefox. I then read the other topic, and indeed I have configured STS on the webserver config. I have changed the config after reading more about Strict-Transport-Security and it's purpose, clearly I should have done that before configuring it. So thank you, for your excellent help!
mikevp 0 solutions 1 answers

I started having this problem with my web page last night, making it impossible to use the page at all with Firefox. It works perfectly with Chrome, or *gag, retch* Internet Exposure.

A sample link is http://www.calweb.com/~mvp/unicode.html

The problem exists with every page in my directory.

I brought up the history and clicked "forget" on calweb.com.

I installed SQLite Manager, and went through every single SQLite database and table, doing a complete search-and-destroy on any URL that mentioned calweb.

It is still forcing https when I type http, with the result that I get a 404. (Unfortunately, I have no control over how Calweb handles https. They return a 404 on user pages that attempt https.)

I started having this problem with my web page last night, making it impossible to use the page at all with Firefox. It works perfectly with Chrome, or *gag, retch* Internet Exposure. A sample link is http://www.calweb.com/~mvp/unicode.html The problem exists with every page in my directory. I brought up the history and clicked "forget" on calweb.com. I installed SQLite Manager, and went through every single SQLite database and table, doing a complete search-and-destroy on any URL that mentioned calweb. It is still forcing https when I type http, with the result that I get a 404. (Unfortunately, I have no control over how Calweb handles https. They return a 404 on user pages that attempt https.)

Helpful Reply

Hi mikevp,

You have the same problem I had. When I click your link for the first time (using HTTP) there is no problem. When I manually change the URL to use HTTPS I get a 404 error page, but this error page has STS headers set. To explain it in short terms this STS header tells the browser that all webpages of this domain should always be opened using HTTPS. This is a security measure to stop man in the middle attacks using non-https pages. It really should only be set for really sensitive websites such as home banking.

The problem is that Firefox supports the STS header and as such will from now on only open pages on your domain using HTTPS. You can make firefox forget ever seeing this header by using the forget option (I had to do it twice), but you need to make sure firefox doesn't see the header the next time you try a HTTPS page on your domain.

If you are responsible for the configuration of the webserver, remove the STS option in the config. If it is your host tell them the problem and they should change the configuration.

PS: I have added a screenshot of the repsonse headers sent by the 404 error page that shows the STS header that is causing the trouble.

So to sum up, Firefox follows this strict security header, and it's not firefox's fault but the configuration of the webserver.

Hi mikevp, You have the same problem I had. When I click your link for the first time (using HTTP) there is no problem. When I manually change the URL to use HTTPS I get a 404 error page, but this error page has STS headers set. To explain it in short terms this STS header tells the browser that all webpages of this domain should always be opened using HTTPS. This is a security measure to stop man in the middle attacks using non-https pages. It really should only be set for really sensitive websites such as home banking. The problem is that Firefox supports the STS header and as such will from now on only open pages on your domain using HTTPS. You can make firefox forget ever seeing this header by using the forget option (I had to do it twice), but you need to make sure firefox doesn't see the header the next time you try a HTTPS page on your domain. If you are responsible for the configuration of the webserver, remove the STS option in the config. If it is your host tell them the problem and they should change the configuration. PS: I have added a screenshot of the repsonse headers sent by the 404 error page that shows the STS header that is causing the trouble. So to sum up, Firefox follows this strict security header, and it's not firefox's fault but the configuration of the webserver.