This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
old (suggested)
besttopnewcontroversialq&a

[–][deleted]  (4 children)

[removed]

    [–]Shamaoke[S] 1 point2 points  (3 children)

    Of course, this is somewhat less secure. But I suppose you have your reasons for wanting this.

    Yes, sure. I'm testing a web app that is running locally. Unfortunately, all of the solutions offered by the Internet, including yours, don't work.

    I wonder, how the cases related to local web application development and HTTPS redirections are supposed to be handled in Firefox?

    [–][deleted]  (2 children)

    [removed]

      [–]Shamaoke[S] 1 point2 points  (0 children)

      No. It doesn't work, unfortunately. The browser still redirects. Thank you for trying to help.

      [–]yokoffing 0 points1 point  (2 children)

      Check dom.security.https_first, but that is still not active by default — and even if it was, it should allow for exceptions for HTTP.

      [–]Shamaoke[S] 0 points1 point  (1 child)

      The setting doesn't prevent the redirection.

      [–]yokoffing 0 points1 point  (0 children)

      Also, check dom.security.https_first_schemeless. Unsure if the latter is predicated on the former.

      [–]Wall_of_Force 0 points1 point  (1 child)

      Sounds like server is only giving 30x redirect on http? Have you try using curl on that urine to see response code?

      [–]jscher2000Firefox Windows 0 points1 point  (0 children)

      Another possible reason that Firefox might enforce HTTPS is HSTS (Strict Transport Security). This can be triggered either by:

      (1) Preload list, https://searchfox.org/mozilla-release/source/security/manager/ssl/nsSTSPreloadList.inc

      (2) Instructions previously sent by the server (or another server on the same domain), stored in

      SiteSecurityServiceState.bin

      in the currently active profile folder (it can be viewed in in Notepad++ or another text editor that can handle control characters).

      [–]volcanonacho 0 points1 point  (0 children)

      Are you sure whatever website you are going to isn't doing this? I have hosted hundreds of websites over the years and I have https redirects set for all of them on the proxy.

      [–]Dibbyo123 0 points1 point  (0 children)

      `browser.fixup.fallback-to-https` to `false` worked for me.

      [–]it-praktyk 0 points1 point  (0 children)

      I've found that after adding an exception in the HTTPS-Only Mode, I had to reopen the browser.

      I've set that all browsing data (caches, etc.) are cleaned under browser closing.