为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

How to disable HSTS for "ajax.googleapis.com" ?

more options

Using firefox 39.0.3 now. I have edited the hosts file to redirect "ajax.googleapis.com" to my local machine(127.0.0.1). When I visit the site, firefox tells me this site uses HSTS, and cannot add an exception.

So I need a way to disable this feature to make my visit available.

I have tried following steps, but failed: Set "network.stricttransportsecurity.preloadlist" to false in about:config page. Forget all pages contains "ajax.googleapis.com" from the history window. Restart the firefox.

Using firefox 39.0.3 now. I have edited the hosts file to redirect "ajax.googleapis.com" to my local machine(127.0.0.1). When I visit the site, firefox tells me this site uses HSTS, and cannot add an exception. So I need a way to disable this feature to make my visit available. I have tried following steps, but failed: Set "network.stricttransportsecurity.preloadlist" to false in about:config page. Forget all pages contains "ajax.googleapis.com" from the history window. Restart the firefox.

被采纳的解决方案

jscher2000 said

The HSTS flags are stored in the permissions.sqlite database, which is not easily editable. See https://support.mozilla.org/questions/984794#answer-528146 about using the SQLite Manager extension to clear them, but of course, they could be reset. Do you use the Apache server for anything else? Are there any applications that might have sent a strict transport security header? If so, the problem is likely to recur.

Unfortunately nothing like %googleapis% found in permissions.sqlite/moz_hosts table.

I guess firefox uses a hard-coded list for some important sites.

Finally I find a solution: 1. backup xul.dll to xul.bak 2. use a hex editor to open xul.dll 3. search "googleapis.com" and change it to something else

定位到答案原位置 👍 3

所有回复 (9)

more options

I do not know if the hosted api allows connections that are not https. It looks like the url redirects so its hard to test but the response did come back as accepting https: http://mxtoolbox.com/SuperTool.aspx?action=a%3aajax.googl... Since it does, you might be able to force it with an add on. Maybe something like noscript to block the https:// site.

more options

Similar previous thread you probably already saw: https://support.mozilla.org/questions/1073172

What web server are you using on localhost?

I like the above suggestion to block scripts from that domain if that is your goal. You can use YesScript if it's a one-off; NoScript requires a lot of training.

https://addons.mozilla.org/firefox/addon/yesscript/

more options

guigs said

I do not know if the hosted api allows connections that are not https. It looks like the url redirects so its hard to test but the response did come back as accepting https: http://mxtoolbox.com/SuperTool.aspx?action=a%3aajax.googl... Since it does, you might be able to force it with an add on. Maybe something like noscript to block the https:// site.

I don't want to block the "https" site, I want to connect it with a self-signed certification. When connect to a site which is not marked as "HSTS", I can add an exception to the firefox's certification manager. If the site uses "HSTS" (such as "ajax.googleapis.com"), the exception does not work, that's why I want to close "HSTS".

more options

jscher2000 said

Similar previous thread you probably already saw: https://support.mozilla.org/questions/1073172 What web server are you using on localhost? I like the above suggestion to block scripts from that domain if that is your goal. You can use YesScript if it's a one-off; NoScript requires a lot of training. https://addons.mozilla.org/firefox/addon/yesscript/

Yes I have saw that and tried, but it's not helpful. You can see the above reply that I don't want to block the site. The web server is apache, but I think it's not important, firefox close the connection before the page's content returns.

more options

I know for chrome you can edit "transport_security_state_static.json" file to manage the HSTS list. Is there a similar file for firefox?

more options

The HSTS flags are stored in the permissions.sqlite database, which is not easily editable. See https://support.mozilla.org/questions/984794#answer-528146 about using the SQLite Manager extension to clear them, but of course, they could be reset.

Do you use the Apache server for anything else? Are there any applications that might have sent a strict transport security header? If so, the problem is likely to recur.

more options

选择的解决方案

jscher2000 said

The HSTS flags are stored in the permissions.sqlite database, which is not easily editable. See https://support.mozilla.org/questions/984794#answer-528146 about using the SQLite Manager extension to clear them, but of course, they could be reset. Do you use the Apache server for anything else? Are there any applications that might have sent a strict transport security header? If so, the problem is likely to recur.

Unfortunately nothing like %googleapis% found in permissions.sqlite/moz_hosts table.

I guess firefox uses a hard-coded list for some important sites.

Finally I find a solution: 1. backup xul.dll to xul.bak 2. use a hex editor to open xul.dll 3. search "googleapis.com" and change it to something else

more options

Omg, that is getting worse.

I run a local mirror of ajax.googleapis.com, it's my choice, not yours, no? You take me this choice and leave me with a crappy solution.

So now, I have to edit a .dll after each update? Please, give us the option in about:config to disable HSTS.

more options

JoeBauers said

So now, I have to edit a .dll after each update? Please, give us the option in about:config to disable HSTS.

I searched for such a thing and the closest preference I saw was network.stricttransportsecurity.preloadlist which the original post said toggling from true to false did not help.