why does Firefox default to https when typing certain hostnames in address bar?
I've noticed that if I type some hostnames into the address bar and hit Enter -- without accepting any auto-complete suggestions from the dropdown -- Firefox will default to sending the request by https. This breaks some sites for me in the rare case when the site can only be accessed by http and gives an error if accessed by https.
For example, the hostname bisim.info -- if you go to http://bisim.info/ , it redirects several times until you end up at https://bisim.info/b/http://www.dw.de/dw-%D8%AE%D8%AF%D9%85%D8%A7%D8%AA/%D9%86%DB%8C%D9%85-%D9%82%D8%B1%D9%86-%D8%AF%D9%88%DB%8C%DA%86%D9%87-%D9%88%D9%84%D9%87-%D9%81%D8%A7%D8%B1%D8%B3%DB%8C/s-31323
However, if you go to https://bisim.info/ , it gives a 404 Not Found error.
Now, right after I have cleared my Firefox browser history, I paste the hostname "bisim.info" by itself into the address bar. So that there is no doubt about what I'm doing, I've attached a screen capture of just the letters "bisim.info" in the address bar right before I hit Enter.
Immediately after that, I hit Enter, and Firefox goes to https://bisim.info/ which gives 404 Not Found. I used a network capture tool (Fiddler) to confirm that Firefox is not first sending an http request and then getting a redirect (in any case, an http request would redirect to the long url above, not to https://bisim.info/ ). And this does not happen in IE or Chrome, only Firefox.
It also doesn't seem to happen with most other hostnames -- e.g. if I type in www.cnn.com, it goes to the http url.
Why does this happen with the bisim.info hostname? Assuming Firefox truly clears its history when I tell it to, how would it even know that the bisim.info server accepts https connections? Is there something in the DNS record for the bisim.info hostname that says "https connection preferred if possible"? Is Firefox retaining some hidden list of servers that accept https connections, even after I clear my history? Does it communicate with a remote database maintained by Mozilla, which tells Firefox that this server is usually accessed by https and that should be attempted first? I'm at a loss to explain it.
I'm using Firefox 36.0.4 on Windows 7 Home Premium SP1.
Tutte le risposte (2)
Thanks cor-el. It seems that bisim.info is no longer sending the Strict-Transport-Security header (I requested headers manually and tested it using the tool at https://www.ssllabs.com/ssldb/index.html , and both sets of results indicate no HSTS, but I may have visited the site when it was sending the header at some point in the past).
I did a search for "bisim.info" in all the files in my profile directory, and found a line in the file SiteSecurityServiceState.txt saying: bisim.info:HSTS 3 16528 1443242183390,1,0 I can't find any documentation of what the fields mean, but at least that answers the question of why Firefox is doing that.
(It looks like there are also entries in the moz_hosts table of the permissions.sqlite file with the "type" field set to "sts/subd" and "sts/use" and I assume that's for the same thing or something similar, although I don't know why there would be two different storage locations.)
Thanks!