"I understand the risks" option missing - page is read from cache
when trying to access website i am faced with a security warning since certificate is self signed. this is an internal site that is currently under testing - so it's ok to add an exception. the issue is, the option to select "i understand the risks" is completely missing, the only available action is "get me out of here"
since this is an internal site under our complete control i have performed some more tests: it seems firefox redirects the original http request to https this does not happen on other browsers (chrome and IE), also tested in a clean install of firefox running without any extensions.
even after cleaning the cache and temporary files completely, issue still remains. this site (on http) will not load on firefox, always redirected to https
even after removing apache mod_ssl from the server, and completely removing all mention of ssl on this server, connecting with firefox still redirects http to https (now results in "can't establish a connection to the server" error - but still not loading the basic http version of the site)
Amir.
Chosen solution
Forgot the screen shot of SQLite Manager.
Read this answer in context 👍 1All Replies (14)
Have you tried changing the proxy settings in Firefox?
not currently using any proxy.
If "I Understand the Risks" is missing then this page may be opened in an (i)frame and in that case try the right-click context menu and use "This Frame: Open Frame in New Tab".
Here's another possibility.
If any application on the server ever sent Firefox a Strict-Transport-Security header indicating that SSL is mandatory, Firefox will remember that and always change HTTP URLs to HTTPS.
The easiest way to clear that is the somewhat drastic "Forget About This Site" feature that removes, history, cookies, bookmarks, and permissions related to the site.
You can access that feature using either:
- History Sidebar (command+shift+h) > right-click context menu
- Library dialog (History > Show All History) > right-click context menu
- about:permissions page (type or paste about:permissions in the address bar and press Enter, after the list loads, select the site, then look for the Forget button in the upper right of the page)
"Forget About This Site" option might be drastic, but it got the job done ;)
one note, in case someone else find this useful: i had to use "Forget About This Site" for the top level domain. the domain in OP was a sub-domain, clearing it did not change firefox behavior, only after setting to forget the top level domain the issue was resolved.
EDIT:
well i spoke too soon. after restarting firefox issue has returned. i am automatically redirected to https, with no option to add exception.
site is not listed under about:permissions anymore, but still not working.
Modified by amirtal2000
Hi amirtal2000, that's interesting, it worked until you exited and restarted Firefox. Puzzling.
One possibility is that a process internal to Firefox (extension) or external to Firefox (utility software) is restoring some of the settings you cleared. Although some users have discovered that Advanced SystemCare and some security suites include a feature such as "Surfing Protection", "Browser Protection", or "Home Page Protection" that can roll back some settings changes, this one seems a bit too obscure to be the subject of such a feature...
Currently, there is no user interface to check for the Strict Transport Security (STS) setting to see whether that is the issue. The only way I've been able to see it is using the SQLite Manager extension, then opening the permissions.sqlite database. (Screen shot of the search dialog attached for reference if you want to try it.)
Or, I see you have Live HTTP Headers and HttpFox. You might be able to see from one of those whether the server is mistakenly responding with a Strict-Transport-Security header for whatever you requested as the initial URL in your new session.
Chosen Solution
Forgot the screen shot of SQLite Manager.
performing same search for effected domain found 2 records using sts. after removing these records site is working as expected.
i suspect some other site i visit on the same domain might be causing it to ba marked as https again. since this is an internal testing site this is acceptable.
after opening one page in this domain using https issue returns:
using https://domain.com prevents any use of http://page1.domain.com or http://page2.domain.com
this is not acceptable browser behavior. chrome, IE, opera do not experience this issue.
Hi amirtal2000, Firefox only stores that setting if a Strict Transport Security header is sent by the server.
Since you found two records, one of them probably was the instruction to apply STS to subdomains. According to the documentation on Mozilla Developer Network, applying STS ot subdomains should be optional: https://developer.mozilla.org/en-US/d.../HTTP_Strict_Transport_Security. If that isn't being handled correctly, it could be a bug.
Can you check on exactly what header is being sent? You might be able to view it in the Web Console (open using Ctrl+Shift+k, then reload the page, then click the URL corresponding to the main page to view the headers), but since that is post-parsing, you might want to use an extension or external proxy to see the raw headers.
update: same issue also exist with following error: "The page isn't redirecting properly"
Modified by amirtal2000
did some digging..
original https site (https://tcc1.net) contains "Strict-Transport-Security" with following properties: max-age=31536000; includeSubDomains
is there a way to bypass this restriction? either by domain or just globally?
Modified by amirtal2000
Hi amirtal2000, could you stop sending the header from the server side?
Or there might be an extension to block or modify certain HTTP response headers. I found some that modify request headers but I didn't see any for response headers. And because it's an HTTPS connection, it could be tricky...
unfortunately there is no way of changing this value on the server side without this effecting other pages as well.
could not find any such extension either, only thing i found is an extension called TemperData that seems to perform desired task, however this extension was not updated since 2010 and does not seem to work with recent firefox version.
it's not really a firefox issue.. the server is (falsely) reporting strict transport for all sub-domains, where some sub-domains do not use https at all (since this is a test environment only accessible internally.
thank you for the detailed debugging of the issue and the explanation provided, this is one of most dedicated replies i have seen in any support forum :)