Bug 138535 - HTTP only page being forced to HTTPS
Summary: HTTP only page being forced to HTTPS
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: Macintosh OS X 10.10
: P2 Normal
Assignee: Nobody
Depends on:
Reported: 2014-11-08 02:34 PST by Geoff Evans
Modified: 2014-11-08 10:23 PST (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Geoff Evans 2014-11-08 02:34:24 PST
This is an odd bug that only happens on Mac OS X 10.10 in safari.

http://devicefinder.eleboards.com will always attempt to connect to the server via HTTPS which does not exist on the server. Wireshark shows that no attempt is made by safari to connect via HTTP it just starts with an HTTPS request. And doing the same request in a private window will load the top most https site on the virtual server.

There is an SSL certificate with a wildcard(*.eleboards.com) that is served on admin.eleboards.com and eleboards.com. So there is a chance it may be a caching issue as I have been to those two sites before but it is hard to tell if this is actually taking place.
Comment 1 Alexey Proskuryakov 2014-11-08 10:23:01 PST
I cannot reproduce this issue, http://devicefinder.eleboards.com opens normally in Safari on OS X Yosemite for me.

Is there an entry for eleboards.com in your ~/Library/Cookies/HSTS.plist file? This behavior is consistent with eleboards.com previously sending a Strict-Transport-Security HTTP response header to you - if it was marked "with subdomains", then devicefinder.eleboards.com is also subject to the restriction.

I verified that eleboards.com doesn't send this header now, so it was probably a temporary mistake made by the webmaster. Alternatively, only some pages on the site have it, and I just didn't happen to open the ones that do. One way or another, this is correct behavior for a web browser. All browsers that have seen such a response in the past will be affected.

Please see <http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security> for more information about strict transport security.

A workaround is to remove the HSTS.plist file, and then execute this command from Terminal:

killall -9 cookied