Bug 138535

Summary: HTTP only page being forced to HTTPS
Product: WebKit Reporter: Geoff Evans <gbeevans>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: ap
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.10   

Description Geoff Evans 2014-11-08 02:34:24 PST 
This is an odd bug that only happens on Mac OS X 10.10 in safari.

http://devicefinder.eleboards.com will always attempt to connect to the server via HTTPS which does not exist on the server. Wireshark shows that no attempt is made by safari to connect via HTTP it just starts with an HTTPS request. And doing the same request in a private window will load the top most https site on the virtual server.

There is an SSL certificate with a wildcard(*.eleboards.com) that is served on admin.eleboards.com and eleboards.com. So there is a chance it may be a caching issue as I have been to those two sites before but it is hard to tell if this is actually taking place.
Comment 1 Alexey Proskuryakov 2014-11-08 10:23:01 PST 
I cannot reproduce this issue, http://devicefinder.eleboards.com opens normally in Safari on OS X Yosemite for me.

Is there an entry for eleboards.com in your ~/Library/Cookies/HSTS.plist file? This behavior is consistent with eleboards.com previously sending a Strict-Transport-Security HTTP response header to you - if it was marked "with subdomains", then devicefinder.eleboards.com is also subject to the restriction.

I verified that eleboards.com doesn't send this header now, so it was probably a temporary mistake made by the webmaster. Alternatively, only some pages on the site have it, and I just didn't happen to open the ones that do. One way or another, this is correct behavior for a web browser. All browsers that have seen such a response in the past will be affected.

Please see <http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security> for more information about strict transport security.

A workaround is to remove the HSTS.plist file, and then execute this command from Terminal:

killall -9 cookied