This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How to disable HSTS / force an exception for a host?

  • 3 replies
  • 18 have this problem
  • 1 view
  • Last reply by MadEgg

more options

Because I hate the concept of Google trying to spy even more on me than they already are, I have redirected ajax.googleapis.com on all of my devices on the IP address of a server of my own that is serving a mirror of the contents of ajax.googleapis.com. It is serving this content both on http and https, using a self-signed certificate. There is, of course, not a chance of getting a valid certificate for this server as the domain does not belong to me. However, I couldn't care less as it's my own server which I know I can trust.

However, Firefox keeps blocking access to this virtual host because HSTS is enabled. Firefox has never even touched the real ajax.googleapis.com as long as it's been installed so I'm quite curious on how it knows that HSTS is enabled there. I'm guessing Firefox comes preloaded with this. Anyway, as it claims HSTS is enabled, it will not let me add an exception. I manually added an exception through Preferences -> Advanced -> Certificates -> Servers -> Add exception... but apparently, this exception is still ignored.

How can I force Firefox to trust this certificate? It is required for me because too many websites rely on that host server the content that my mirror is actually serving.

Because I hate the concept of Google trying to spy even more on me than they already are, I have redirected ajax.googleapis.com on all of my devices on the IP address of a server of my own that is serving a mirror of the contents of ajax.googleapis.com. It is serving this content both on http and https, using a self-signed certificate. There is, of course, not a chance of getting a valid certificate for this server as the domain does not belong to me. However, I couldn't care less as it's my own server which I know I can trust. However, Firefox keeps blocking access to this virtual host because HSTS is enabled. Firefox has never even touched the real ajax.googleapis.com as long as it's been installed so I'm quite curious on how it knows that HSTS is enabled there. I'm guessing Firefox comes preloaded with this. Anyway, as it claims HSTS is enabled, it will not let me add an exception. I manually added an exception through Preferences -> Advanced -> Certificates -> Servers -> Add exception... but apparently, this exception is still ignored. How can I force Firefox to trust this certificate? It is required for me because too many websites rely on that host server the content that my mirror is actually serving.

All Replies (3)

more options

Just to answer my own question: I have been able to work around this issue but not adding the self-signed certificate as an exception but to import it as a trusted, valid certificate authority on the Preferences -> Advanced -> Certificates -> Organizations pane. After that, I had to edit trust settings and set this certificate to be trusted for signing website certificates. After that, the self-signed certificate was finally accepted.

IMO, it should be possible to add exceptions no matter what. After all, it's still MY computer and MY browser which I myself like to control. It's good to guide / inform users about their actions and even to make it slightly hard / uncomfortable to add an exception but this seems like too much hassle to get my browser to trust what or whomever I trust.

more options

How do you know there is an HSTS issue?

I'm pretty sure I've loaded scripts from ajax.googleapis.com in the past, but when I use the SQLite Manager extension to check my permissions.sqlite database for an STS rule, there aren't any for that domain or for the base domain googleapis.com.

To remove any Strict Transport Security rules for that host, you can use the "Forget About This Site" feature. This also will forget history, cookies, bookmarks, popup permissions, and any other data Firefox has stored about that host name. To access this feature, either:

(A) Open the Library dialog to history, either:

  • Ctrl+Shift+h
  • "Show All History"

right-click a history entry for the site and choose Forget

(B) Type or paste about:permissions in the address bar and press Enter

In the left column, type googleapi in the search box above the list to filter it, then select the host and look for the Forget button in the upper right corner of the page.

Any difference on your next access?

more options

jscher2000, thanks for your response. However, as I mentioned, Firefox has never even been able to access ajax.googleapis.com at all, because I first added the redirect of that domain to my server to /etc/hosts before I even installed Firefox, which caused any attempt to access it to fail due to HSTS issues.

Therefore, there are no entries in the history, so there's nothing to forget either. I have no clue what causes Firefox to assume HSTS, but it's not because it has downloaded any valid header from that host ever.

Thanks for the pointer to about:permission, I did not know about that overview. Very useful!

Modified by MadEgg