HTTPS-only exception list
I have enabled HTTPS-only to everywhere.
Unfortunately I have a site that I need to use for work. The site is only available over a VPN, so security isn't a huge concern to the site operators.
The really unfortunately part is that the webserver seems to be poorly configured. So if I go to "https://dumb-work-url.com" then it resolves, but then just shows me a 404 error. I really need just vanilla "http://dumb-work-url.com" to work. As far as I can tell the override option that is on the padlock only works if I land on the functioning page.
I can disable HTTPS-only, and then go to the site, but then the padlock doesn't give me the option to disable HTTPS-only for just that website. I'd really rather keep HTTPS-only on all the time since I'll need to be visiting this site quite a bit.
I need a way to add this url to an HTTPS-only "off" exception list before I visit it. Is there a way to do that?
on the https site, I turned off HTTPS-only (under the padlock), but that setting either isn't working, or isn't applying to the http version.
Alla svar (3)
Firefox's HTTPS-only setting automatically opens all sites in HTTPS and displays an error if the HTTPS connection cannot be made. The override option is on a per-site basis, so you will still need to land on the site to disable HTTPS-only.
Alternatively, you could use HTTPS Everywhere extension instead which is based on a ruleset. This will not forcibly upgrade your work site to HTTPS since it does not appear on the list while still maintaining HTTPS everywhere else.
I used to use HTTPS Everywhere. I actually just removed it in favor of the built in Firefox behavior. All it is missing is the ability to toggle off HTTPS-only for a site with out requiring one to actually visit the site first.
As it turns out I have a solution, but it involves poking around in your firefox internals. I'm sure all the usual warnings about "you break it, you bought it" applies here.
I discovered that the site specific HTTPS-only settings are stored in $profile/permissions.sqlite. I closed firefox and inserted a new row that looks something like this:
"4375,http:${url},https-only-load-insecure,1,0,0,1617224928601"
I would love to see a better way to add exceptions rather than fiddling with sqlite files.
You can possibly use code in the Browser Console (not the Web Console) to add or remove "https-only-load-insecure" exceptions.
const HTTPS_ONLY_PERMISSION = "https-only-load-insecure"; var myOrigins = ['http://example.com', 'http://example.org']; function addException(uri){ Services.perms.addFromPrincipal(Services.scriptSecurityManager.createContentPrincipalFromOrigin(uri),HTTPS_ONLY_PERMISSION,1,0); } for (var i=0; i<myOrigins.length; i++) addException(myOrigins[i]);
const HTTPS_ONLY_PERMISSION = "https-only-load-insecure"; var myOrigins = ['http://example.com', 'http://example.org']; function removeException(uri){ Services.perms.removeFromPrincipal(Services.scriptSecurityManager.createContentPrincipalFromOrigin(uri), HTTPS_ONLY_PERMISSION); } for (var i=0; i<myOrigins.length; i++) removeException(myOrigins[i]);