5

tl;dr I want to browse an http-based URL but Firefox will not let me.

A local network HTTP server is at http://host (port 80) and the corresponding HTTPS server is at https://host (port 443).

When I type into the Firefox Address Bar http://host, Firefox insists on changing the URL to https://host.
Using the Web Developer Tools -> Network tab, I can see Firefox goes directly to https://host despite my entry of http://host. Firefox is not receiving an HTTP 300 Redirect from the server.

How do I instruct Firefox to not overwrite http with https?
How do I instruct Firefox to connect to http://host?


Using Firefox 100 on Windows 10.

JamesThomasMoon
  • 752
  • 1
  • 6
  • 18
  • 2
    I commend your attention to https://support.mozilla.org/en-US/kb/https-only-prefs#firefox:win10:fx100 – Jeff Zeitlin May 17 '22 at 19:44
  • 2
    Did your HTTPS server perhaps, at any point in the recent past, serve a HSTS header? – Daniel B May 17 '22 at 19:51
  • 1
    also, if you haven't enabled HTTPS-Only mode, and have never had HSTS on the HTTPS version of the site,look at this: https://support.mozilla.org/en-US/questions/959914 . Once you have visited a site in HTTPS the address bar will remember and always prefer HTTPS. – Frank Thomas May 17 '22 at 21:51
  • Thanks @JeffZeitlin. The setting was already set to _Don’t enable HTTPS-Only Mode_. – JamesThomasMoon May 19 '22 at 19:50
  • Thanks @DanielB . In my case, according to the _Network_ tab, the selection of _https_ instead of _http_ occurs _before_ any HTTP communication occurs. Also, in the _Network_ tab, I checked _Disable Cache_. ⠀⠀⠀However, you wrote "_any point in the recent past, serve a HSTS header_". Firefox reported "_host has a security policy called HTTP Strict Transport Security (HSTS)_". This may be the culprit. – JamesThomasMoon May 19 '22 at 19:56
  • Thanks @FrankThomas . It appears that at some point the host returned an HSTS header. When I connect to `http://host`, the browser forces it to become `https://host`, then Firefox stops with a warning "_Firefox detected a potential security threat and did not continue to host because this website requires a secure connection. host has a security policy called HTTP Strict Transport Security (HSTS)_". – JamesThomasMoon May 19 '22 at 19:59
  • An immediate workaround I found is to use the IP Address of the host, e.g. `http://192.168.0.1`. Then I was able to connect via `http` (to port 80). This is likely because no HSTS header ([`Strict-Transport-Security`](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)) has been seen by Firefox for that host association. – JamesThomasMoon May 19 '22 at 20:04

3 Answers3

2

Take a look at HTTPS-Only Mode in Firefox and check, if HTTPS-Only Mode is enabled.

M. Behrens
  • 719
  • 2
  • 6
2

Neither

  • browser.fixup.fallback-to-https: false
  • browser.urlbar.autoFill: false
  • HTTPS Only disabled in settings
  • HTTPS Only enabled and correct exceptions set

and all possible combinations of them did the trick consequently, but

  • browser.fixup.alternate.protocol: http

fixed it for me

Alexander Weber
  • 21
  • 1
1

tl;dr use the IP Address

Instead of browsing to a URL of the named host, e.g. http://host, browse to the URL of the IP Address, e.g. http://192.168.1.2.

Firefox and other browsers will not forcibly insist on https protocol.

In Firefox,

  • in Settings page, section Privacy & Security, change HTTPS-Only Mode to Don’t enable HTTPS-Only Mode
  • other configurations to consider
    • in about:config page, change browser.fixup.fallback-to-https to false (thanks @ubfan1)
    • search "HTTPS" and tweak other settings until you have it

Related, browsing to the IP Address URL also allows an opportunity to skip TLS certificate checking for https connections.

JamesThomasMoon
  • 752
  • 1
  • 6
  • 18
  • 1
    Wish it were true, but Firefox 106.0.4 still insists on using https on IP address connections. Even if exceptions are added to the "use https" and even if "don't use https" is checked. Maybe you have some other setting which actually will allow http? – ubfan1 Nov 03 '22 at 22:33
  • @ubfan1 I tested it again and still works for me. Using Firefox 106.0.3. I have set _HTTPS-Only Mode_ to option _Don’t enable HTTPS-Only Mode_. Also have setting _Enable DNS over HTTPS_ as unchecked. Using Private setting _Standard_. I also tested against a site not in my Bookmarks using a quickie HTTP server `python3 -m http.server 80`. I was able to browse the non-bookmarked site at `http://192.168.1.1:80`. – JamesThomasMoon Nov 04 '22 at 00:14
  • I confirm your test works on Ubuntu 22.04/Firefox 106.0.4. My explicit problem is connecting to an old security camera -- Old TLS support only, so maybe some fallback to https before reporting https failed instead of : "connection refused" like Chrome does. – ubfan1 Nov 04 '22 at 00:59
  • "_My explicit problem is connecting to an old security camera -- Old TLS support only_" try either 1. what does the Developer Tools -> Network tab report? investigate from there, or 2. get a really old version of Firefox https://ftp.mozilla.org/pub/firefox/releases/ – JamesThomasMoon Nov 04 '22 at 04:16
  • 1
    I found that setting browser.fixup.fallback-to-https to false in about:config will prevent the https switch to http (and reverted the dozen or so other changes I had made on various https settings). So now I get the refused connection like Chrome. I did try some TLS and SSL changes, but connection still refused. Getting an old Firefox version looks like my best bet at this time -- an old program to connect to old devices. Thanks for the help. – ubfan1 Nov 04 '22 at 15:41
  • This is not a good solution. Many sites nowadays use name-based virtual hosting. The IP address alone isn't enough. The hostname is a required ingredient. – Daniel B Nov 04 '22 at 19:18
  • @DanielB good point; some sites will fail because they require a hostname in the URI host field (not an IP address). Unfortunately, I do not know of any other solution. I tried the other answers and other comments but Firefox is very insistent on `https`. – JamesThomasMoon Nov 13 '22 at 21:43