Hi,
Just thought I'd try asking here, because I'm not having much luck with Google...
Many times, way too many damn times, if I try to access some address with Firefox it will go into HTTPS mode when I don't want it to.
For instance, I've actually typed http://192.168.1.254 to get into my router's admin page, because it doesn't do HTTPS. And if Firefox doesn't get instant results with what I typed it changes it to https://192.168.1.254 (which is never going to work).
Likewise with other devices that I might be testing on my LAN, and may be unplugged/reset while I'm testing, so I want to just hammer away at the same address sitting in the browser's address bar without the damn browser changing it on me.
Grrrrrrrr, I hate autocorrect style of crap everywhere they put it.
The HTTPS-only modes are disabled. Stupid option that is. Many things do NOT have HTTPS. Most things don't need it. It just increases workload to encrypt unimportant things.
And I wish they'd stop hiding HTTP and HTTPS in the address bar. Let me see the letters there so I know what it's doing.
Does anybody have any answers about how to force the browser to stop doing that, always, every time, never disobey me?
On Fri, 21 Feb 2025 at 14:32, Tim via users users@lists.fedoraproject.org wrote:
Hi,
Just thought I'd try asking here, because I'm not having much luck with Google...
Many times, way too many damn times, if I try to access some address with Firefox it will go into HTTPS mode when I don't want it to.
Untested but browser.fixup.fallback-to-https in about:config looks like a likely candidate.
https://stackoverflow.com/questions/30532471/firefox-redirects-to-https might be useful too.
Tim:
Just thought I'd try asking here, because I'm not having much luck with Google...
Many times, way too many damn times, if I try to access some address with Firefox it will go into HTTPS mode when I don't want it to.
Will McDonald:
Untested but browser.fixup.fallback-to-https in about:config looks like a likely candidate.
https://stackoverflow.com/questions/30532471/firefox-redirects-to-https might be useful too.
That seems to be the magic solution. For what it's worth, for the sake of my sanity, and maybe it'll help others, I've made these changes:
browser.fixup.fallback-to-https = false
This should stop any time I want to go to http://192.168.1.254 changing without my authority to https://192.168.1.254. As far as I'm concerned that should never have happened, and automatically choosing that protocol would only be *barely* tolerable if I'd simply typed in 192.168.1.254 without any protocol prefix.
dom.security.https_first = false dom.security.https_first_pbm = false
These would appear to be presuming to use a HTTPS protocol if I hadn't typed in any protocol prefixing the address (like if I'd simply typed in 192.168.1.254). The first one for general windows (and it was already false, by default), the second one for private browsing windows (and it was true, by default).
network.stricttransportsecurity.preloadlist = false
This was suggested (by my earlier google searches) as the likely answer, but didn't help with this problem. It may, however, help with other addresses that someone else has made assumptions about ought to be HTTPS instead of HTTP (disabling those presumptions).
keyword.enabled = false
Another config choice was to add the separate search bar next to the address bar, and stop the address bar from doing internet searches. So that when you type in something like router (and hit enter) it doesn't do a google search for routers, but only tries to connect to something with router as the hostname. This has been another nuisance that I've, now, stopped. If what I type doesn't connect, *I* can decide on the next course of action.
NB: This doesn't stop the address bar from offering previous addresses that you've visited as suggestions, or finding things you've bookmarked (appearing in a list popping up below the the addressbar), when you start to type them. *Local* searching still works, so to speak.
It may also help with mDNS local hostnames (being just a local search not a google search), but I don't use mDNS to be able to try that out.
browser.urlbar.trimURLs = false
This stops the address bar from hiding the http:// or https:// protocol prefixes before the address. Eliminating guessing games about what it's doing. I consider that as dumb as Windows hiding filename suffixes (where you can't tell hackme.jpg apart from hackme.exe).
I also ensure DNS over HTTPS is disabled, because I want *my* DNS server to be the thing that provides answers. Only my DNS server can answer LAN queries. An external server is something that I cannot control to blackhole nuisances, and it might censor queries. My ISP's DNS server was always terrible (overloaded, slow, and often wrong).
Other search results suggested finding problematic addresses and removing them from the history, to stop Firefox doing the same thing as it tried last time. I haven't followed up on doing this, because it doesn't seem to have been necessary.
Of course it's up to *me* to ensure that when I do something like log onto a banking site I'm using a HTTPS address (this is something where the now often ignored bookmarking browser feature is a really good thing - some people google search *everything*). And the sanely written service provider sites will make sure that visiting them via HTTP will give you a different landing page that moves you into the HTTPS site before giving you any logon boxes to type into.
If only I could configure mobile device browsers similarly! One on my my phone has no address bar if the browser has been opened up by a link you've clicked elsewhere. You just have the site's domain name at the top, and no navigational bar to see where you are, or hand type something into it. Dumbing things down to the point that they're painful.
On Fri, Feb 21, 2025 at 9:32 AM Tim via users users@lists.fedoraproject.org wrote:
Hi,
Just thought I'd try asking here, because I'm not having much luck with Google...
Many times, way too many damn times, if I try to access some address with Firefox it will go into HTTPS mode when I don't want it to.
For instance, I've actually typed http://192.168.1.254 to get into my router's admin page, because it doesn't do HTTPS. And if Firefox doesn't get instant results with what I typed it changes it to https://192.168.1.254 (which is never going to work).
Likewise with other devices that I might be testing on my LAN, and may be unplugged/reset while I'm testing, so I want to just hammer away at the same address sitting in the browser's address bar without the damn browser changing it on me.
Grrrrrrrr, I hate autocorrect style of crap everywhere they put it.
The HTTPS-only modes are disabled. Stupid option that is. Many things do NOT have HTTPS. Most things don't need it. It just increases workload to encrypt unimportant things.
And I wish they'd stop hiding HTTP and HTTPS in the address bar. Let me see the letters there so I know what it's doing.
Does anybody have any answers about how to force the browser to stop doing that, always, every time, never disobey me?
Yes, I've been fighting this for the past year, since about October 2024 when the major browser platforms decided that your saftey against phishing attacks on your bank account was more important than being able to access other web sites.
I run the website for my local RC Flying club and we have some web cams showing our flight line and the parking lot, and those devices are HTTP only. But with the new browser restrictions, people couldn't get at the cameras anymore. What made it worse was that although the web site would support HTTPS, having one of its pages point at another URL that was explicitly HTTP causes a cross-site security violation.
So what I found were options in Firefox (and also similar in Edge and Safari. In firefox, it's currently called HTTP-Only, and you can set it to try HTTPS first, but then fall back to trying HTTP. (Not ideal because you'll always have that extra transaction that wastes bandwidth, server CPU, and elapsed time... but at least it will still work.
Secondly, there is also the ability to define 'exceptions' where you can add the website to the list of places to NOT default to HTTPS.
Sadly, as the webmaster, I have to tell all of our club members to FIX their browser, because I can't do anything to our website to fix it globally.
On one of the browsers, I also found another config item related to 'cross-site security', where I told people to add the addresses of our HTTP cameras. Unfortunately I can't quote which browser, and what it was exactly called.
also if you have to activate a NAT using http://neverssl.com
There is also IETF's http://example.com that works for this.
neverssl states that they will always be there. example.com will always be there as long as there is the IETF and RFCs.
On 2/21/25 09:31, Tim via users wrote:
Hi,
Just thought I'd try asking here, because I'm not having much luck with Google...
Many times, way too many damn times, if I try to access some address with Firefox it will go into HTTPS mode when I don't want it to.
For instance, I've actually typed http://192.168.1.254 to get into my router's admin page, because it doesn't do HTTPS. And if Firefox doesn't get instant results with what I typed it changes it to https://192.168.1.254 (which is never going to work).
Likewise with other devices that I might be testing on my LAN, and may be unplugged/reset while I'm testing, so I want to just hammer away at the same address sitting in the browser's address bar without the damn browser changing it on me.
Grrrrrrrr, I hate autocorrect style of crap everywhere they put it.
The HTTPS-only modes are disabled. Stupid option that is. Many things do NOT have HTTPS. Most things don't need it. It just increases workload to encrypt unimportant things.
And I wish they'd stop hiding HTTP and HTTPS in the address bar. Let me see the letters there so I know what it's doing.
Does anybody have any answers about how to force the browser to stop doing that, always, every time, never disobey me?
-
Fulko Hew -
Robert Moskowitz -
Tim -
Will McDonald