How to disable HSTS / force an exception for a host?
Because I hate the concept of Google trying to spy even more on me than they already are, I have redirected ajax.googleapis.com on all of my devices on the IP address of a server of my own that is serving a mirror of the contents of ajax.googleapis.com. It is serving this content both on http and https, using a self-signed certificate. There is, of course, not a chance of getting a valid certificate for this server as the domain does not belong to me. However, I couldn't care less as it's my own server which I know I can trust.
However, Firefox keeps blocking access to this virtual host because HSTS is enabled. Firefox has never even touched the real ajax.googleapis.com as long as it's been installed so I'm quite curious on how it knows that HSTS is enabled there. I'm guessing Firefox comes preloaded with this. Anyway, as it claims HSTS is enabled, it will not let me add an exception. I manually added an exception through Preferences -> Advanced -> Certificates -> Servers -> Add exception... but apparently, this exception is still ignored.
How can I force Firefox to trust this certificate? It is required for me because too many websites rely on that host server the content that my mirror is actually serving.
All Replies (3)
Just to answer my own question: I have been able to work around this issue but not adding the self-signed certificate as an exception but to import it as a trusted, valid certificate authority on the Preferences -> Advanced -> Certificates -> Organizations pane. After that, I had to edit trust settings and set this certificate to be trusted for signing website certificates. After that, the self-signed certificate was finally accepted.
IMO, it should be possible to add exceptions no matter what. After all, it's still MY computer and MY browser which I myself like to control. It's good to guide / inform users about their actions and even to make it slightly hard / uncomfortable to add an exception but this seems like too much hassle to get my browser to trust what or whomever I trust.
How do you know there is an HSTS issue?
I'm pretty sure I've loaded scripts from ajax.googleapis.com in the past, but when I use the SQLite Manager extension to check my permissions.sqlite database for an STS rule, there aren't any for that domain or for the base domain googleapis.com.
To remove any Strict Transport Security rules for that host, you can use the "Forget About This Site" feature. This also will forget history, cookies, bookmarks, popup permissions, and any other data Firefox has stored about that host name. To access this feature, either:
(A) Open the Library dialog to history, either:
- Ctrl+Shift+h
- "Show All History"
right-click a history entry for the site and choose Forget
(B) Type or paste about:permissions in the address bar and press Enter
In the left column, type googleapi in the search box above the list to filter it, then select the host and look for the Forget button in the upper right corner of the page.
Any difference on your next access?
jscher2000, thanks for your response. However, as I mentioned, Firefox has never even been able to access ajax.googleapis.com at all, because I first added the redirect of that domain to my server to /etc/hosts before I even installed Firefox, which caused any attempt to access it to fail due to HSTS issues.
Therefore, there are no entries in the history, so there's nothing to forget either. I have no clue what causes Firefox to assume HSTS, but it's not because it has downloaded any valid header from that host ever.
Thanks for the pointer to about:permission, I did not know about that overview. Very useful!
Modified