搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

HTTPS-only exception list

  • 3 回覆
  • 1 有這個問題
  • 1 次檢視
  • 最近回覆由 cor-el

more options

I have enabled HTTPS-only to everywhere.

Unfortunately I have a site that I need to use for work. The site is only available over a VPN, so security isn't a huge concern to the site operators.

The really unfortunately part is that the webserver seems to be poorly configured. So if I go to "https://dumb-work-url.com" then it resolves, but then just shows me a 404 error. I really need just vanilla "http://dumb-work-url.com" to work. As far as I can tell the override option that is on the padlock only works if I land on the functioning page.

I can disable HTTPS-only, and then go to the site, but then the padlock doesn't give me the option to disable HTTPS-only for just that website. I'd really rather keep HTTPS-only on all the time since I'll need to be visiting this site quite a bit.

I need a way to add this url to an HTTPS-only "off" exception list before I visit it. Is there a way to do that?

on the https site, I turned off HTTPS-only (under the padlock), but that setting either isn't working, or isn't applying to the http version.

I have enabled HTTPS-only to everywhere. Unfortunately I have a site that I need to use for work. The site is only available over a VPN, so security isn't a huge concern to the site operators. The really unfortunately part is that the webserver seems to be poorly configured. So if I go to "https://dumb-work-url.com" then it resolves, but then just shows me a 404 error. I really need just vanilla "http://dumb-work-url.com" to work. As far as I can tell the override option that is on the padlock only works if I land on the functioning page. I can disable HTTPS-only, and then go to the site, but then the padlock doesn't give me the option to disable HTTPS-only for just that website. I'd really rather keep HTTPS-only on all the time since I'll need to be visiting this site quite a bit. I need a way to add this url to an HTTPS-only "off" exception list before I visit it. Is there a way to do that? on the https site, I turned off HTTPS-only (under the padlock), but that setting either isn't working, or isn't applying to the http version.

所有回覆 (3)

more options

Firefox's HTTPS-only setting automatically opens all sites in HTTPS and displays an error if the HTTPS connection cannot be made. The override option is on a per-site basis, so you will still need to land on the site to disable HTTPS-only.

Alternatively, you could use HTTPS Everywhere extension instead which is based on a ruleset. This will not forcibly upgrade your work site to HTTPS since it does not appear on the list while still maintaining HTTPS everywhere else.

more options

I used to use HTTPS Everywhere. I actually just removed it in favor of the built in Firefox behavior. All it is missing is the ability to toggle off HTTPS-only for a site with out requiring one to actually visit the site first.

As it turns out I have a solution, but it involves poking around in your firefox internals. I'm sure all the usual warnings about "you break it, you bought it" applies here.

I discovered that the site specific HTTPS-only settings are stored in $profile/permissions.sqlite. I closed firefox and inserted a new row that looks something like this:

"4375,http:${url},https-only-load-insecure,1,0,0,1617224928601"

I would love to see a better way to add exceptions rather than fiddling with sqlite files.

more options

You can possibly use code in the Browser Console (not the Web Console) to add or remove "https-only-load-insecure" exceptions.


const HTTPS_ONLY_PERMISSION = "https-only-load-insecure";
var myOrigins = ['http://example.com', 'http://example.org'];
function addException(uri){
Services.perms.addFromPrincipal(Services.scriptSecurityManager.createContentPrincipalFromOrigin(uri),HTTPS_ONLY_PERMISSION,1,0);
}
for (var i=0; i<myOrigins.length; i++) addException(myOrigins[i]);


const HTTPS_ONLY_PERMISSION = "https-only-load-insecure";
var myOrigins = ['http://example.com', 'http://example.org'];
function removeException(uri){
Services.perms.removeFromPrincipal(Services.scriptSecurityManager.createContentPrincipalFromOrigin(uri), HTTPS_ONLY_PERMISSION);
}
for (var i=0; i<myOrigins.length; i++) removeException(myOrigins[i]);