Mark Bourne wrote:
Rainer Bielefeld wrote:

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

1. In Browser visit <>
2. In page contents heading line
    ˋclick downloads - Firmwareˊ
    Expected: <> opens
    Actual:   <> will
              not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by

This also happens in Safe Mode without add-ons
No problem in a newly created User Profile.
So this problem seems to be caused by my preferences, but I can't find
the responsible one.

On first trying, that didn't happen for me. Visiting
<> stayed on the http: version.

However, I then changed http: to https:, i.e.
<>, and got a 404 Not Found
page. Now, when I try going back to the http: version, it automatically
redirects to the https: version.

Visiting the https: version returns a strict-transport-security header.
That indicates to the browser that, from now on, it should only access
that pages on that domain via https:, not http:, to protect against
attacks which attempt to force use of http:. So when you attempt to
access the page via http:, the browser instead accesses it via https:.

Since the site can serve the content in question via http: but not
https:, it looks like a misconfiguration of that site's server to me -
either it should be prepared to serve all content via https:, or it
shouldn't send a strict-transport-security header instructing the
browser to only use https:!

I should have mentioned I was using SeaMonkey 2.40 on Windows Vista:
Mozilla/5.0 (Windows NT 6.0; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40

You can clear SeaMonkey's memory of having seen the strict-transport-security header as follows:
- Close SeaMonkey
- Use a text editor to open SiteSecurityServiceState.txt from your profile folder
- Search for the line containing ""
- Delete that line
- Save the file
- Open SeaMonkey
- You should now be able to visit <> and see the list of downloads

If at any time you visit anything under <>, SeaMonkey will get the strict-transport-security header again and from then on only access that domain via https:.


support-seamonkey mailing list

Reply via email to