Bug 284559

Summary: Safari 18.2 non-secure site connections warning blocks localhost with no option to proceed
Product: WebKit Reporter: Jeff Johnson <opendarwin>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: beidson, fredrickbishop14, karlcow, martijn, m_finkel, mohit.n, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 18   
Hardware: Mac (Apple Silicon)   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=284834
Attachments:
Description Flags
Sample html to reproduce the bug none

Jeff Johnson
Reported 2024-12-12 08:42:22 PST
Created attachment 473554 [details] Sample html to reproduce the bug Steps to reproduce: 1) Open Safari 18.2 2) In Safari Security Settings, enable "Warn before connecting to a website over HTTP" 3) Download the attached index.html file 4) In Terminal, cd ~/Downloads; /usr/bin/python3 -m http.server 5) In Terminal, open -a Safari 'http://localhost:8000' Expected results: "This Connection Is Not Secure" warning, with options to Continue or Go Back Actual results: Safari can't open the page "http://localhost:8000/". The error is: "Navigation failed because the request was for an HTTP URL with HTTPS-Only enabled" (WebKitErrorDomain:305) Notes: This is the new Safari 18.2 feature described at https://webkit.org/blog/16301/webkit-features-in-safari-18-2/#security-and-privacy
Attachments
Sample html to reproduce the bug (113 bytes, text/html)
2024-12-12 08:42 PST, Jeff Johnson 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-12-15 23:23:40 PST
<rdar://problem/141532147>
John Wilander
Comment 3 2025-02-25 12:39:14 PST
Hi! Thanks for filing! Can you manually enter 'http://localhost:8000' in the URL bar, including the scheme http://, and then load the page?
Jeff Johnson
Comment 4 2025-02-25 15:37:10 PST
(In reply to John Wilander from comment #3) > Hi! Thanks for filing! > > Can you manually enter 'http://localhost:8000' in the URL bar, including the > scheme http://, and then load the page? Yes.
John Wilander
Comment 5 2025-02-25 16:00:33 PST
OK, so then there's at least a workaround for now. Thanks!
John Wilander
Comment 6 2025-02-27 10:49:37 PST
Note that that is a deliberate thing. Explicitly stating a plaintext scheme should allow loading it.
martijn
Comment 7 2025-06-06 00:31:32 PDT
To add to this. Somehow, on one of my machines (Safari 18.5), localhost got in a state where it won't load in Safari anymore: Safari can't open the page "http://localhost:3000/". The error is: "Navigation failed because the request was for an HTTP URL with HTTPS-Only enabled" (WebKitErrorDomain:305) This happened consistently when I typed "L" in the address bar and confirmed the autocomplete. Now since I typed the full address, also with http:// it worked, and the problem disappeared for autocomplete, too. However, as with the original bug report, when following a http://localhost:3000/ link, it still blocks. Removing website data for localhost doesn't accomplish anything for this problem (this is a common suggestion on the web) and apparently there's no way (anymore) to remove the HSTS cache for Safari - if that's even relevant. So far, this is probably exactly the same as the original post. What I did notice is that when I close the tab presenting the error, and then Cmd+Z to reopen the tab, it always loads. I would expect: - this blocking to never happen for localhost - that there is a documented way to break through the blockade (permanently)
Note You need to log in before you can comment on or make changes to this bug.