NoOp wrote:
Mark Bourne wrote:
Rainer Bielefeld wrote:

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

1. In Browser visit <>
2. In page contents heading line
     ˋclick downloads - Firmwareˊ
     Expected: <> opens
     Actual:   <> will
               not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by

This also happens in Safe Mode without add-ons
No problem in a newly created User Profile.
So this problem seems to be caused by my preferences, but I can't find
the responsible one.

On first trying, that didn't happen for me. Visiting
<> stayed on the http: version.

However, I then changed http: to https:, i.e.
<>, and got a 404 Not Found
page. Now, when I try going back to the http: version, it automatically
redirects to the https: version.

Visiting the https: version returns a strict-transport-security header.
That indicates to the browser that, from now on, it should only access
that pages on that domain via https:, not http:, to protect against
attacks which attempt to force use of http:. So when you attempt to
access the page via http:, the browser instead accesses it via https:.

Since the site can serve the content in question via http: but not
https:, it looks like a misconfiguration of that site's server to me -
either it should be prepared to serve all content via https:, or it
shouldn't send a strict-transport-security header instructing the
browser to only use https:!

Here's somthing interesting/odd: I was experimenting with the url &
found that if you enter <> it will
redirect to <>
which is the 'Draytek File Server'. Tested in Firefox, Chrome & Opera
(Windows 2.46).
And now if I go to <> I can select
Download|Firmware and it brings up a proper download page (again tested
in SeaMonkey 2.46, Firefox, Chrome, Opera (Windows)).

That's true, but <> is not the same as <>, and Download > Firmware links to a different domain ( rather than

Download > Firmware from <> links to <> which. If you've previously visited anything under <> and got the strict-transport-security header, accessing that URL leads to SeaMonkey (correctly) loading <> instead, and that returns a 404 Not Found error. The server at is basically informing clients that they should only use HTTPS, yet there is some content which it serves only via HTTP and not via HTTPS.


support-seamonkey mailing list

Reply via email to