Local intranet http web servers not accessible after Firefox update to newer version
On Windows 10 with 64-bit Firefox, after updating from version 144 to 145, some local HTTP-only servers stopped working and became inaccessible. When I enter http://<local server name>, after a few seconds it automatically changes to https://<local server name>, and since no HTTPS service is running, it ends with a “Server not found” page. It seems to be related to DNS — accessing http://<IP address> works fine.
I tried a clean installation with a new user profile, but it didn’t help. Downgrading to version 144 fixes the problem, but at the cost of losing the user profile (which is a disaster). I also tried to check the HTTP-only settings (which I’ve never modified), but that didn’t help either.
Is anyone else experiencing the same issue?
Modificado por lstefek a
Solução escolhida
Issue explained. It turned out that the root cause was Firefox’s internal HSTS preload list, which most likely originates from the global HSTS list maintained at hstspreload.org.
Our website on a second-level domain had been mistakenly configured to return the following HTTP header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Over time, this caused the domain (and its subdomains) to be included in the HSTS preload list. As a result, Firefox now automatically upgrades all requests to HTTPS for these hostnames using an internal redirect (HTTP 307), even if only HTTP is explicitly requested.
That explains why http://<local server name> is silently rewritten to https://<local server name>, while accessing the service via a raw IP address continues to work.
More information can be found here: HTTP_Strict_Transport_Security_(HSTS)_Preload_List
Ler esta resposta no contexto 👍 0Todas as respostas (2)
Solução escolhida
Issue explained. It turned out that the root cause was Firefox’s internal HSTS preload list, which most likely originates from the global HSTS list maintained at hstspreload.org.
Our website on a second-level domain had been mistakenly configured to return the following HTTP header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Over time, this caused the domain (and its subdomains) to be included in the HSTS preload list. As a result, Firefox now automatically upgrades all requests to HTTPS for these hostnames using an internal redirect (HTTP 307), even if only HTTP is explicitly requested.
That explains why http://<local server name> is silently rewritten to https://<local server name>, while accessing the service via a raw IP address continues to work.
More information can be found here: HTTP_Strict_Transport_Security_(HSTS)_Preload_List
Modificado por lstefek a
So, Firefox 145 just received our domain in the list and behaves accordingly. Now, we have to change at least "preload" directive on our web server, post request for removal from hstspreload.org and wait....
Modificado por lstefek a
Deve iniciar a sessão com a sua conta para responder às mensagens. Por favor, comece uma nova pergunta, se ainda não tiver uma conta.