Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Learn More

HTTPS redirection behavior changed in 88.0

  • 5 trả lời
  • 1 gặp vấn đề này
  • 16 lượt xem
  • Trả lời mới nhất được viết bởi jscher2000

more options

I have to access a number of HTTP (not S) servers on a private work network. The URLs all look like http://resource.infra.example.com. Using Firefox 88.0 the protocol URL is automatically changed to https:// and I get an error "Unable to connect. Firefox can’t establish a connection to the server at recourse.infra.example.com". This makes sense because these servers are not HTTPS, but Firefox's behavior seems broken.

I *do* get redirected with a fresh profile in Firefox 88.0. I *do* get redirected in safe mode in Firefox 88.0. I *do* get redirected in Firefox 89.0b4. I *do* get redirected in >= 88.0 regardless of whether HTTPS Only is enabled in Preferences (if it's enabled I get the new HTTP warning, and then I get redirected to HTTPS) I *don't* get redirected in Firefox 87.0 (regardless of profile or safe mode) I *don't* get redirected in Safari and Chrome. I *don't* get redirected by curl. Inspecting these sites's headers with curl gives:

$ curl -sI http://resource.infra.example.com HTTP/1.1 200 OK Content-Length: 4198 Content-Type: text/html; charset=utf-8 Date: Wed, 28 Apr 2021 02:43:01 GMT Etag: W/"1066-CEROUmmTJBPO73vecAgQwYdTSow" Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block

It seems like something changed in 88.0, but I don't see anything related to HTTPS in the 88.0 release notes: https://www.mozilla.org/en-US/firefox/88.0/releasenotes/.

What changed? How can I fix it?

Giải pháp được chọn

I can't replicate that with an HTTPS only .com site, but then, I am not visiting your actual servers.

Strict Transport Security

Firefox may forcibly upgrade a connection if either:

(1) You have successfully used HTTPS with a site on that server in the past, and that server sent Firefox a Strict Transport Security header. Unless something has changed, Firefox will apply that to all subdomains.

(2) The domain or its top-level domain is on the pre-loaded HSTS list.

For #1:

To clear the HSTS flag, you could edit the line for the site out of a file named SiteSecurityServiceState.txt (or simply remove that entire file). Of course, such changes should be made when Firefox is not running.

To easily locate your profile folder, see: Profiles - Where Firefox stores your bookmarks, passwords and other user data.

For #2:

You could test disabling the list to see whether that makes any difference:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.

(2) In the search box in the page, type or paste network.stricttransportsecurity.preloadlist and pause while the list is filtered

(3) Double-click the preference to switch the value from true to false

Đọc câu trả lời này trong ngữ cảnh 👍 0

Tất cả các câu trả lời (5)

more options

Is HTTPS-only mode enabled? You can check here:

  • Windows: "3-bar" menu button (or Tools menu) > Options
  • Mac: "3-bar" menu button (or Firefox menu) > Preferences
  • Linux: "3-bar" menu button (or Edit menu) > Preferences
  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it

In the search box at the top of the page, type https and Firefox should filter the page, with the HTTPS-Only Mode section at the bottom. If you make sure this is turned off, does that make any difference?

Hữu ích?

more options

I get redirected in >= 88.0 regardless of whether HTTPS Only is enabled in Preferences (if it's enabled I get the new HTTP warning, and then I get redirected to HTTPS).

Hữu ích?

more options

Giải pháp được chọn

I can't replicate that with an HTTPS only .com site, but then, I am not visiting your actual servers.

Strict Transport Security

Firefox may forcibly upgrade a connection if either:

(1) You have successfully used HTTPS with a site on that server in the past, and that server sent Firefox a Strict Transport Security header. Unless something has changed, Firefox will apply that to all subdomains.

(2) The domain or its top-level domain is on the pre-loaded HSTS list.

For #1:

To clear the HSTS flag, you could edit the line for the site out of a file named SiteSecurityServiceState.txt (or simply remove that entire file). Of course, such changes should be made when Firefox is not running.

To easily locate your profile folder, see: Profiles - Where Firefox stores your bookmarks, passwords and other user data.

For #2:

You could test disabling the list to see whether that makes any difference:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.

(2) In the search box in the page, type or paste network.stricttransportsecurity.preloadlist and pause while the list is filtered

(3) Double-click the preference to switch the value from true to false

Hữu ích?

more options

Thank you!

It seems like someone added our company domain to the HSTS preload list, and that change made it into Firefox 88.0. I was the first person to notice as a Firefox user, but presumably this will break Chrome users too when the addition shows up there.

network.stricttransportsecurity.preloadlist fixed it (at the expense of security). Too bad the preload list is all or nothing.

Hữu ích?

more options

cottonplane said

network.stricttransportsecurity.preloadlist fixed it (at the expense of security). Too bad the preload list is all or nothing.

Perhaps will be temporary if you get can get the server off the list quickly...

Hữu ích?

Đặt một câu hỏi

Bạn phải đăng nhập vào tài khoản của bạn để trả lời bài viết. Vui lòng bắt đầu một câu hỏi mới, nếu bạn chưa có tài khoản.