Local intranet http web servers not accessible after Firefox update to newer version
On Windows 10 with 64-bit Firefox, after updating from version 144 to 145, some local HTTP-only servers stopped working and became inaccessible. When I enter http://<local server name>, after a few seconds it automatically changes to https://<local server name>, and since no HTTPS service is running, it ends with a “Server not found” page. It seems to be related to DNS — accessing http://<IP address> works fine.
I tried a clean installation with a new user profile, but it didn’t help. Downgrading to version 144 fixes the problem, but at the cost of losing the user profile (which is a disaster). I also tried to check the HTTP-only settings (which I’ve never modified), but that didn’t help either.
Is anyone else experiencing the same issue?
Modified by lstefek
Chosen solution
Issue explained. It turned out that the root cause was Firefox’s internal HSTS preload list, which most likely originates from the global HSTS list maintained at hstspreload.org.
Our website on a second-level domain had been mistakenly configured to return the following HTTP header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Over time, this caused the domain (and its subdomains) to be included in the HSTS preload list. As a result, Firefox now automatically upgrades all requests to HTTPS for these hostnames using an internal redirect (HTTP 307), even if only HTTP is explicitly requested.
That explains why http://<local server name> is silently rewritten to https://<local server name>, while accessing the service via a raw IP address continues to work.
More information can be found here: HTTP_Strict_Transport_Security_(HSTS)_Preload_List
Read this answer in context 👍 0All Replies (2)
Chosen Solution
Issue explained. It turned out that the root cause was Firefox’s internal HSTS preload list, which most likely originates from the global HSTS list maintained at hstspreload.org.
Our website on a second-level domain had been mistakenly configured to return the following HTTP header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Over time, this caused the domain (and its subdomains) to be included in the HSTS preload list. As a result, Firefox now automatically upgrades all requests to HTTPS for these hostnames using an internal redirect (HTTP 307), even if only HTTP is explicitly requested.
That explains why http://<local server name> is silently rewritten to https://<local server name>, while accessing the service via a raw IP address continues to work.
More information can be found here: HTTP_Strict_Transport_Security_(HSTS)_Preload_List
Modified by lstefek
So, Firefox 145 just received our domain in the list and behaves accordingly. Now, we have to change at least "preload" directive on our web server, post request for removal from hstspreload.org and wait....
Modified by lstefek
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.