Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox 61.0.1 (64-bit) Forces the URI "http://new/" to "HTTPS://new/"

more options

We have an intranet site that is named "new". This site does not support HTTPS.

With the update to version 61.0.1 typing "http://new/" into the browser forces "HTTPS://new/"

However I created another DNS name "new1" and everything works fine.

Downgraded to 60.0.2 and the issue goes away.

I've tested this on multiple machines with upgrades and fresh installs.

It appears that somewhere in the latest update, the URI "new" has been mapped to something. How do I fix this, the shortcut to that URI is in too many place to fix, and as more user's get updated to the latest version this is going to become a huge headache.

Thanks

We have an intranet site that is named "new". This site does not support HTTPS. With the update to version 61.0.1 typing "http://new/" into the browser forces "HTTPS://new/" However I created another DNS name "new1" and everything works fine. Downgraded to 60.0.2 and the issue goes away. I've tested this on multiple machines with upgrades and fresh installs. It appears that somewhere in the latest update, the URI "new" has been mapped to something. How do I fix this, the shortcut to that URI is in too many place to fix, and as more user's get updated to the latest version this is going to become a huge headache. Thanks

Modified by Networked_Greatness

All Replies (6)

more options

Figured it out.

I'll leave this here for anyone you happens to google upon this.

Firefox 61 changed the HTST and now forces "new" to use HTTPS prior to even reaching out of the computer.

You can disable this by modifying "network.stricttransportsecurity.preloadlist" in about:config from true to false

This probably isn't super secure because that list also contains things like youtube and the google play store, but it buys me a time to fix my naming conventions.

more options

So your site is just http://new and nothing else?

more options

This seems wrong, doesn't it? While https://somedomain.new/ is forced to HTTPS at the request of the registry operator, I don't know why the "local" hostname http://new/ should be forced to HTTPS. Seems like a mistake.

Not that I think it will come up all that often, but you could consider filing a bug so you have the freedom to name one of your servers android or dev without having to get an SSL cert for it.

https://bugzilla.mozilla.org/enter_bug.cgi

more options

Yes and no.

The site has a proper FQDN, but the old support staff (some where around 12 years ago) was a bit lazy and mapped a bunch of shortcuts and user favorites to just http://new/<app name>. Which worked until now.

I get that this is probably a rare issue, but It was super annoying to work out why all of a sudden things stopped working and only for certain users.

Also after some more research I found that chrome is going to be implementing the same changes in version 69.

more options

Networked_Greatness said

Also after some more research I found that chrome is going to be implementing the same changes in version 69.

Firefox uses Chrome's HSTS list, so I'm surprised Chrome isn't enforcing this yet. They always let Firefox go first on the unpopular stuff. ;-)

more options

Just in case any one wants to follow I've submitted a bug report

Bug 1475450

See where that goes