On 10/13/2016 12:42 PM, mozilla-lists.mbou...@spamgourmet.com wrote:
> Mark Bourne wrote:
>> Rainer Bielefeld wrote:
>>> Hi,
>>>
>>> on some (few) web pages I can not reach the linked contents because my
>>> unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
>>> Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
>>> Theme) on German WIN7 64bit with my normal User Profile automatically
>>> replaces "http" in URL by "https".
>>>
>>> Example:
>>> 1. In Browser visit <http://www.draytek.de/>
>>> 2. In page contents heading line
>>>     ˋclick downloads - Firmwareˊ
>>>     Expected: <http://myvigoreu.draytek.com/download_de/> opens
>>>     Actual:   <https://myvigoreu.draytek.com/download_de/> will
>>>               not open because it does not exist. So Error 404.
>>>
>>> I see that after a short moment in URL bar "http" becomes replaced by
>>> "https"
>>>
>>> This also happens in Safe Mode without add-ons
>>> No problem in a newly created User Profile.
>>> So this problem seems to be caused by my preferences, but I can't find
>>> the responsible one.
>>
>> On first trying, that didn't happen for me. Visiting
>> <http://myvigoreu.draytek.com/download_de/> stayed on the http: version.
>>
>> However, I then changed http: to https:, i.e.
>> <https://myvigoreu.draytek.com/download_de/>, and got a 404 Not Found
>> page. Now, when I try going back to the http: version, it automatically
>> redirects to the https: version.
>>
>> Visiting the https: version returns a strict-transport-security header.
>> That indicates to the browser that, from now on, it should only access
>> that pages on that domain via https:, not http:, to protect against
>> attacks which attempt to force use of http:. So when you attempt to
>> access the page via http:, the browser instead accesses it via https:.
>>
>> Since the site can serve the content in question via http: but not
>> https:, it looks like a misconfiguration of that site's server to me -
>> either it should be prepared to serve all content via https:, or it
>> shouldn't send a strict-transport-security header instructing the
>> browser to only use https:!
> 
> I should have mentioned I was using SeaMonkey 2.40 on Windows Vista:
> Mozilla/5.0 (Windows NT 6.0; rv:43.0) Gecko/20100101 Firefox/43.0 
> SeaMonkey/2.40
> 
> You can clear SeaMonkey's memory of having seen the 
> strict-transport-security header as follows:
> - Close SeaMonkey
> - Use a text editor to open SiteSecurityServiceState.txt from your 
> profile folder
> - Search for the line containing "myvigoreu.draytek.com"
> - Delete that line
> - Save the file
> - Open SeaMonkey
> - You should now be able to visit 
> <http://myvigoreu.draytek.com/download_de/> and see the list of downloads

Appears that these bugs are most related:

https://bugzilla.mozilla.org/show_bug.cgi?id=1123971
'HSTS entry in SiteSecurityServiceState.txt blocks me from visiting site'

https://bugzilla.mozilla.org/show_bug.cgi?id=1119778
'Forget about this site does not clear HSTS setting'
  Fixes Firefox so that you can select: History|Show All History| -
right click on the Draytek https link and select 'Forget about this
site' from the dropdown. I cannot find any such option in SeaMonkey, so
perhaps Rainer can file a bug report requesting the ability to clear
sites in SiteSecurityServiceState.txt from the 'History' UI.

> 
> If at any time you visit anything under 
> <https://myvigoreu.draytek.com/>, SeaMonkey will get the 
> strict-transport-security header again and from then on only access that 
> domain via https:.
> 

_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Reply via email to