We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

HTTPS-only exception list

  • 3 trả lời
  • 1 gặp vấn đề này
  • 1 lượt xem
  • Trả lời mới nhất được viết bởi cor-el

more options

I have enabled HTTPS-only to everywhere.

Unfortunately I have a site that I need to use for work. The site is only available over a VPN, so security isn't a huge concern to the site operators.

The really unfortunately part is that the webserver seems to be poorly configured. So if I go to "https://dumb-work-url.com" then it resolves, but then just shows me a 404 error. I really need just vanilla "http://dumb-work-url.com" to work. As far as I can tell the override option that is on the padlock only works if I land on the functioning page.

I can disable HTTPS-only, and then go to the site, but then the padlock doesn't give me the option to disable HTTPS-only for just that website. I'd really rather keep HTTPS-only on all the time since I'll need to be visiting this site quite a bit.

I need a way to add this url to an HTTPS-only "off" exception list before I visit it. Is there a way to do that?

on the https site, I turned off HTTPS-only (under the padlock), but that setting either isn't working, or isn't applying to the http version.

I have enabled HTTPS-only to everywhere. Unfortunately I have a site that I need to use for work. The site is only available over a VPN, so security isn't a huge concern to the site operators. The really unfortunately part is that the webserver seems to be poorly configured. So if I go to "https://dumb-work-url.com" then it resolves, but then just shows me a 404 error. I really need just vanilla "http://dumb-work-url.com" to work. As far as I can tell the override option that is on the padlock only works if I land on the functioning page. I can disable HTTPS-only, and then go to the site, but then the padlock doesn't give me the option to disable HTTPS-only for just that website. I'd really rather keep HTTPS-only on all the time since I'll need to be visiting this site quite a bit. I need a way to add this url to an HTTPS-only "off" exception list before I visit it. Is there a way to do that? on the https site, I turned off HTTPS-only (under the padlock), but that setting either isn't working, or isn't applying to the http version.

Tất cả các câu trả lời (3)

more options

Firefox's HTTPS-only setting automatically opens all sites in HTTPS and displays an error if the HTTPS connection cannot be made. The override option is on a per-site basis, so you will still need to land on the site to disable HTTPS-only.

Alternatively, you could use HTTPS Everywhere extension instead which is based on a ruleset. This will not forcibly upgrade your work site to HTTPS since it does not appear on the list while still maintaining HTTPS everywhere else.

more options

I used to use HTTPS Everywhere. I actually just removed it in favor of the built in Firefox behavior. All it is missing is the ability to toggle off HTTPS-only for a site with out requiring one to actually visit the site first.

As it turns out I have a solution, but it involves poking around in your firefox internals. I'm sure all the usual warnings about "you break it, you bought it" applies here.

I discovered that the site specific HTTPS-only settings are stored in $profile/permissions.sqlite. I closed firefox and inserted a new row that looks something like this:

"4375,http:${url},https-only-load-insecure,1,0,0,1617224928601"

I would love to see a better way to add exceptions rather than fiddling with sqlite files.

more options

You can possibly use code in the Browser Console (not the Web Console) to add or remove "https-only-load-insecure" exceptions.


const HTTPS_ONLY_PERMISSION = "https-only-load-insecure";
var myOrigins = ['http://example.com', 'http://example.org'];
function addException(uri){
Services.perms.addFromPrincipal(Services.scriptSecurityManager.createContentPrincipalFromOrigin(uri),HTTPS_ONLY_PERMISSION,1,0);
}
for (var i=0; i<myOrigins.length; i++) addException(myOrigins[i]);


const HTTPS_ONLY_PERMISSION = "https-only-load-insecure";
var myOrigins = ['http://example.com', 'http://example.org'];
function removeException(uri){
Services.perms.removeFromPrincipal(Services.scriptSecurityManager.createContentPrincipalFromOrigin(uri), HTTPS_ONLY_PERMISSION);
}
for (var i=0; i<myOrigins.length; i++) removeException(myOrigins[i]);