On 10/14/2016 01:07 PM, mozilla-lists.mbou...@spamgourmet.com wrote: > NoOp wrote: >>> Mark Bourne wrote: >>>> Rainer Bielefeld wrote: >>>>> Hi, >>>>> >>>>> on some (few) web pages I can not reach the linked contents because my >>>>> unofficial en-US SeaMonkey 2.49a1 (NT 6.1; WOW64; rv:52.0) >>>>> Gecko/20100101 Firefox/52.0 Build 20160930004545 (Default Classic >>>>> Theme) on German WIN7 64bit with my normal User Profile automatically >>>>> replaces "http" in URL by "https". >>>>> >>>>> Example: >>>>> 1. In Browser visit <http://www.draytek.de/> >>>>> 2. In page contents heading line >>>>> ˋclick downloads - Firmwareˊ >>>>> Expected: <http://myvigoreu.draytek.com/download_de/> opens >>>>> Actual: <https://myvigoreu.draytek.com/download_de/> will >>>>> not open because it does not exist. So Error 404. >>>>> >>>>> I see that after a short moment in URL bar "http" becomes replaced by >>>>> "https" >>>>> >>>>> This also happens in Safe Mode without add-ons >>>>> No problem in a newly created User Profile. >>>>> So this problem seems to be caused by my preferences, but I can't find >>>>> the responsible one. >>>> >>>> On first trying, that didn't happen for me. Visiting >>>> <http://myvigoreu.draytek.com/download_de/> stayed on the http: version. >>>> >>>> However, I then changed http: to https:, i.e. >>>> <https://myvigoreu.draytek.com/download_de/>, and got a 404 Not Found >>>> page. Now, when I try going back to the http: version, it automatically >>>> redirects to the https: version. >>>> >>>> Visiting the https: version returns a strict-transport-security header. >>>> That indicates to the browser that, from now on, it should only access >>>> that pages on that domain via https:, not http:, to protect against >>>> attacks which attempt to force use of http:. So when you attempt to >>>> access the page via http:, the browser instead accesses it via https:. >>>> >>>> Since the site can serve the content in question via http: but not >>>> https:, it looks like a misconfiguration of that site's server to me - >>>> either it should be prepared to serve all content via https:, or it >>>> shouldn't send a strict-transport-security header instructing the >>>> browser to only use https:! >> >> Here's somthing interesting/odd: I was experimenting with the url & >> found that if you enter <https://draytek.com/download_de/> it will >> redirect to <http://gplsource.draytek.com/?cultureKey=&q=download_de/> >> which is the 'Draytek File Server'. Tested in Firefox, Chrome & Opera >> (Windows 2.46). >> And now if I go to <http://www.draytek.com/> I can select >> Download|Firmware and it brings up a proper download page (again tested >> in SeaMonkey 2.46, Firefox, Chrome, Opera (Windows)). > > That's true, but <http://www.draytek.com/> is not the same as > <http://www.draytek.de/>, and Download > Firmware links to a different > domain (www.draytek.com. rather than myvigoreu.draytek.com.). > > Download > Firmware from <http://www.draytek.de/> links to > <http://myvigoreu.draytek.com/download_de/> which. If you've previously > visited anything under <https://myvigoreu.draytek.com> and got the > strict-transport-security header, accessing that URL leads to SeaMonkey > (correctly) loading <https://myvigoreu.draytek.com/download_de/> > instead, and that returns a 404 Not Found error. The server at > myvigoreu.draytek.com. is basically informing clients that they should > only use HTTPS, yet there is some content which it serves only via HTTP > and not via HTTPS. >
Thanks Mark, I was just pointing out some of the odd link behaviour on the site <quote> if you enter <https://draytek.com/download_de/> it will redirect to <http://gplsource.draytek.com/?cultureKey=&q=download_de/> which is the 'Draytek File Server'. </quote> I probably should have pointed out that the link to draytek.com was from my clicking the 'Draytek Corp' link at the bottom of the file server page. Gary _______________________________________________ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
