HTTPS redirection behavior changed in 88.0
I have to access a number of HTTP (not S) servers on a private work network. The URLs all look like http://resource.infra.example.com. Using Firefox 88.0 the protocol URL is automatically changed to https:// and I get an error "Unable to connect. Firefox can’t establish a connection to the server at recourse.infra.example.com". This makes sense because these servers are not HTTPS, but Firefox's behavior seems broken.
I *do* get redirected with a fresh profile in Firefox 88.0. I *do* get redirected in safe mode in Firefox 88.0. I *do* get redirected in Firefox 89.0b4. I *do* get redirected in >= 88.0 regardless of whether HTTPS Only is enabled in Preferences (if it's enabled I get the new HTTP warning, and then I get redirected to HTTPS) I *don't* get redirected in Firefox 87.0 (regardless of profile or safe mode) I *don't* get redirected in Safari and Chrome. I *don't* get redirected by curl. Inspecting these sites's headers with curl gives:
$ curl -sI http://resource.infra.example.com HTTP/1.1 200 OK Content-Length: 4198 Content-Type: text/html; charset=utf-8 Date: Wed, 28 Apr 2021 02:43:01 GMT Etag: W/"1066-CEROUmmTJBPO73vecAgQwYdTSow" Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block
It seems like something changed in 88.0, but I don't see anything related to HTTPS in the 88.0 release notes: https://www.mozilla.org/en-US/firefox/88.0/releasenotes/.
What changed? How can I fix it?
Isisombululo esikhethiwe
I can't replicate that with an HTTPS only .com site, but then, I am not visiting your actual servers.
Strict Transport Security
Firefox may forcibly upgrade a connection if either:
(1) You have successfully used HTTPS with a site on that server in the past, and that server sent Firefox a Strict Transport Security header. Unless something has changed, Firefox will apply that to all subdomains.
(2) The domain or its top-level domain is on the pre-loaded HSTS list.
For #1:
To clear the HSTS flag, you could edit the line for the site out of a file named SiteSecurityServiceState.txt (or simply remove that entire file). Of course, such changes should be made when Firefox is not running.
To easily locate your profile folder, see: Profiles - Where Firefox stores your bookmarks, passwords and other user data.
For #2:
You could test disabling the list to see whether that makes any difference:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
(2) In the search box in the page, type or paste network.stricttransportsecurity.preloadlist and pause while the list is filtered
(3) Double-click the preference to switch the value from true to false
Funda le mpendulo ngokuhambisana nalesi sihloko 👍 0All Replies (5)
Is HTTPS-only mode enabled? You can check here:
- Windows: "3-bar" menu button (or Tools menu) > Options
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box at the top of the page, type https and Firefox should filter the page, with the HTTPS-Only Mode section at the bottom. If you make sure this is turned off, does that make any difference?
I get redirected in >= 88.0 regardless of whether HTTPS Only is enabled in Preferences (if it's enabled I get the new HTTP warning, and then I get redirected to HTTPS).
Isisombululo Esikhethiwe
I can't replicate that with an HTTPS only .com site, but then, I am not visiting your actual servers.
Strict Transport Security
Firefox may forcibly upgrade a connection if either:
(1) You have successfully used HTTPS with a site on that server in the past, and that server sent Firefox a Strict Transport Security header. Unless something has changed, Firefox will apply that to all subdomains.
(2) The domain or its top-level domain is on the pre-loaded HSTS list.
For #1:
To clear the HSTS flag, you could edit the line for the site out of a file named SiteSecurityServiceState.txt (or simply remove that entire file). Of course, such changes should be made when Firefox is not running.
To easily locate your profile folder, see: Profiles - Where Firefox stores your bookmarks, passwords and other user data.
For #2:
You could test disabling the list to see whether that makes any difference:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
(2) In the search box in the page, type or paste network.stricttransportsecurity.preloadlist and pause while the list is filtered
(3) Double-click the preference to switch the value from true to false
Thank you!
It seems like someone added our company domain to the HSTS preload list, and that change made it into Firefox 88.0. I was the first person to notice as a Firefox user, but presumably this will break Chrome users too when the addition shows up there.
network.stricttransportsecurity.preloadlist fixed it (at the expense of security). Too bad the preload list is all or nothing.
cottonplane said
network.stricttransportsecurity.preloadlist fixed it (at the expense of security). Too bad the preload list is all or nothing.
Perhaps will be temporary if you get can get the server off the list quickly...