Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

HTTPS-only exception list

  • 3 பதிலளிப்புகள்
  • 1 இந்த பிரச்சனை உள்ளது
  • 3 views
  • Last reply by cor-el

I have enabled HTTPS-only to everywhere.

Unfortunately I have a site that I need to use for work. The site is only available over a VPN, so security isn't a huge concern to the site operators.

The really unfortunately part is that the webserver seems to be poorly configured. So if I go to "https://dumb-work-url.com" then it resolves, but then just shows me a 404 error. I really need just vanilla "http://dumb-work-url.com" to work. As far as I can tell the override option that is on the padlock only works if I land on the functioning page.

I can disable HTTPS-only, and then go to the site, but then the padlock doesn't give me the option to disable HTTPS-only for just that website. I'd really rather keep HTTPS-only on all the time since I'll need to be visiting this site quite a bit.

I need a way to add this url to an HTTPS-only "off" exception list before I visit it. Is there a way to do that?

on the https site, I turned off HTTPS-only (under the padlock), but that setting either isn't working, or isn't applying to the http version.

I have enabled HTTPS-only to everywhere. Unfortunately I have a site that I need to use for work. The site is only available over a VPN, so security isn't a huge concern to the site operators. The really unfortunately part is that the webserver seems to be poorly configured. So if I go to "https://dumb-work-url.com" then it resolves, but then just shows me a 404 error. I really need just vanilla "http://dumb-work-url.com" to work. As far as I can tell the override option that is on the padlock only works if I land on the functioning page. I can disable HTTPS-only, and then go to the site, but then the padlock doesn't give me the option to disable HTTPS-only for just that website. I'd really rather keep HTTPS-only on all the time since I'll need to be visiting this site quite a bit. I need a way to add this url to an HTTPS-only "off" exception list before I visit it. Is there a way to do that? on the https site, I turned off HTTPS-only (under the padlock), but that setting either isn't working, or isn't applying to the http version.

All Replies (3)

Firefox's HTTPS-only setting automatically opens all sites in HTTPS and displays an error if the HTTPS connection cannot be made. The override option is on a per-site basis, so you will still need to land on the site to disable HTTPS-only.

Alternatively, you could use HTTPS Everywhere extension instead which is based on a ruleset. This will not forcibly upgrade your work site to HTTPS since it does not appear on the list while still maintaining HTTPS everywhere else.

I used to use HTTPS Everywhere. I actually just removed it in favor of the built in Firefox behavior. All it is missing is the ability to toggle off HTTPS-only for a site with out requiring one to actually visit the site first.

As it turns out I have a solution, but it involves poking around in your firefox internals. I'm sure all the usual warnings about "you break it, you bought it" applies here.

I discovered that the site specific HTTPS-only settings are stored in $profile/permissions.sqlite. I closed firefox and inserted a new row that looks something like this:

"4375,http:${url},https-only-load-insecure,1,0,0,1617224928601"

I would love to see a better way to add exceptions rather than fiddling with sqlite files.

You can possibly use code in the Browser Console (not the Web Console) to add or remove "https-only-load-insecure" exceptions.


const HTTPS_ONLY_PERMISSION = "https-only-load-insecure";
var myOrigins = ['http://example.com', 'http://example.org'];
function addException(uri){
Services.perms.addFromPrincipal(Services.scriptSecurityManager.createContentPrincipalFromOrigin(uri),HTTPS_ONLY_PERMISSION,1,0);
}
for (var i=0; i<myOrigins.length; i++) addException(myOrigins[i]);


const HTTPS_ONLY_PERMISSION = "https-only-load-insecure";
var myOrigins = ['http://example.com', 'http://example.org'];
function removeException(uri){
Services.perms.removeFromPrincipal(Services.scriptSecurityManager.createContentPrincipalFromOrigin(uri), HTTPS_ONLY_PERMISSION);
}
for (var i=0; i<myOrigins.length; i++) removeException(myOrigins[i]);