On 10/14/2016 01:07 PM, mozilla-lists.mbou...@spamgourmet.com wrote:
> NoOp wrote:
>>> Mark Bourne wrote:
>>>> Rainer Bielefeld wrote:
>>>>> Hi,
>>>>> on some (few) web pages I can not reach the linked contents because my
>>>>> unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
>>>>> Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
>>>>> Theme) on German WIN7 64bit with my normal User Profile automatically
>>>>> replaces "http" in URL by "https".
>>>>> Example:
>>>>> 1. In Browser visit <http://www.draytek.de/>
>>>>> 2. In page contents heading line
>>>>>      ˋclick downloads - Firmwareˊ
>>>>>      Expected: <http://myvigoreu.draytek.com/download_de/> opens
>>>>>      Actual:   <https://myvigoreu.draytek.com/download_de/> will
>>>>>                not open because it does not exist. So Error 404.
>>>>> I see that after a short moment in URL bar "http" becomes replaced by
>>>>> "https"
>>>>> This also happens in Safe Mode without add-ons
>>>>> No problem in a newly created User Profile.
>>>>> So this problem seems to be caused by my preferences, but I can't find
>>>>> the responsible one.
>>>> On first trying, that didn't happen for me. Visiting
>>>> <http://myvigoreu.draytek.com/download_de/> stayed on the http: version.
>>>> However, I then changed http: to https:, i.e.
>>>> <https://myvigoreu.draytek.com/download_de/>, and got a 404 Not Found
>>>> page. Now, when I try going back to the http: version, it automatically
>>>> redirects to the https: version.
>>>> Visiting the https: version returns a strict-transport-security header.
>>>> That indicates to the browser that, from now on, it should only access
>>>> that pages on that domain via https:, not http:, to protect against
>>>> attacks which attempt to force use of http:. So when you attempt to
>>>> access the page via http:, the browser instead accesses it via https:.
>>>> Since the site can serve the content in question via http: but not
>>>> https:, it looks like a misconfiguration of that site's server to me -
>>>> either it should be prepared to serve all content via https:, or it
>>>> shouldn't send a strict-transport-security header instructing the
>>>> browser to only use https:!
>> Here's somthing interesting/odd: I was experimenting with the url &
>> found that if you enter <https://draytek.com/download_de/> it will
>> redirect to <http://gplsource.draytek.com/?cultureKey=&q=download_de/>
>> which is the 'Draytek File Server'. Tested in Firefox, Chrome & Opera
>> (Windows 2.46).
>> And now if I go to <http://www.draytek.com/> I can select
>> Download|Firmware and it brings up a proper download page (again tested
>> in SeaMonkey 2.46, Firefox, Chrome, Opera (Windows)).
> That's true, but <http://www.draytek.com/> is not the same as 
> <http://www.draytek.de/>, and Download > Firmware links to a different 
> domain (www.draytek.com. rather than myvigoreu.draytek.com.).
> Download > Firmware from <http://www.draytek.de/> links to 
> <http://myvigoreu.draytek.com/download_de/> which. If you've previously 
> visited anything under <https://myvigoreu.draytek.com> and got the 
> strict-transport-security header, accessing that URL leads to SeaMonkey 
> (correctly) loading <https://myvigoreu.draytek.com/download_de/> 
> instead, and that returns a 404 Not Found error. The server at 
> myvigoreu.draytek.com. is basically informing clients that they should 
> only use HTTPS, yet there is some content which it serves only via HTTP 
> and not via HTTPS.

Thanks Mark, I was just pointing out some of the odd link behaviour on
the site
 if you enter <https://draytek.com/download_de/> it will
redirect to <http://gplsource.draytek.com/?cultureKey=&q=download_de/>
which is the 'Draytek File Server'.
I probably should have pointed out that the link to draytek.com was from
my clicking the 'Draytek Corp' link at the bottom of the file server page.


support-seamonkey mailing list

Reply via email to