18

tl;dr I want to browse an http-based URL but Firefox will not let me.

A local network HTTP server is at http://host (port 80) and the corresponding HTTPS server is at https://host (port 443).

When I type into the Firefox Address Bar http://host, Firefox insists on changing the URL to https://host.
Using the Web Developer Tools -> Network tab, I can see Firefox goes directly to https://host despite my entry of http://host. Firefox is not receiving an HTTP 300 Redirect from the server.

How do I instruct Firefox to not overwrite http with https?
How do I instruct Firefox to connect to http://host?


Using Firefox 100 on Windows 10.

Improve this question
8
  • 3
    I commend your attention to support.mozilla.org/en-US/kb/…
    – Jeff Zeitlin
    Commented May 17, 2022 at 19:44
  • 3
    Did your HTTPS server perhaps, at any point in the recent past, serve a HSTS header?
    – Daniel B
    Commented May 17, 2022 at 19:51
  • 1
    also, if you haven't enabled HTTPS-Only mode, and have never had HSTS on the HTTPS version of the site,look at this: support.mozilla.org/en-US/questions/959914 . Once you have visited a site in HTTPS the address bar will remember and always prefer HTTPS.
    – Frank Thomas
    Commented May 17, 2022 at 21:51
  • 1
    Thanks @DanielB . In my case, according to the Network tab, the selection of https instead of http occurs before any HTTP communication occurs. Also, in the Network tab, I checked Disable Cache. ⠀⠀⠀However, you wrote "any point in the recent past, serve a HSTS header". Firefox reported "host has a security policy called HTTP Strict Transport Security (HSTS)". This may be the culprit.
    – JamesThomasMoon
    Commented May 19, 2022 at 19:56
  • 1
    An immediate workaround I found is to use the IP Address of the host, e.g. http://192.168.0.1. Then I was able to connect via http (to port 80). This is likely because no HSTS header (Strict-Transport-Security) has been seen by Firefox for that host association.
    – JamesThomasMoon
    Commented May 19, 2022 at 20:04

5 Answers 5

Reset to default
8

I ran into this while using dev as an alias for 127.0.0.1 because I wanted to use a host header with nginx to access a virtual server.

Turns out that's now a real TLD and part of what's called the "preloadlist". None of the above suggestions worked for me, but these did:

Summary: set network.stricttransportsecurity.preloadlist to false

Improve this answer
4
  • 2
    Instead of linking to other issues, just tell people to set network.stricttransportsecurity.preloadlist to false.
    – Francois Botha
    Commented Sep 19, 2023 at 9:25
  • 1
    I could, but I wanted to give those posts the credit, and they also contain more context than I provided because I didn't feel like repeating it. Just like how SO staff routinely mark a question as a duplicate and link to an older version...
    – odigity
    Commented Sep 19, 2023 at 13:32
  • 1
    The StackOverflow guidelines on a good answer are that including links is not a bad idea, but the rest of the answer should be self-sufficient. meta.stackexchange.com/questions/225370/…
    – Francois Botha
    Commented Sep 22, 2023 at 11:30
  • 1
    Did not work for me (Firefox 120)
    – gdonald
    Commented Nov 24, 2023 at 14:24
5

Neither

  • browser.fixup.fallback-to-https: false
  • browser.urlbar.autoFill: false
  • HTTPS Only disabled in settings
  • HTTPS Only enabled and correct exceptions set

and all possible combinations of them did the trick consequently, but

  • browser.fixup.alternate.protocol: http

fixed it for me

Improve this answer
3
3

Take a look at HTTPS-Only Mode in Firefox and check, if HTTPS-Only Mode is enabled.

Improve this answer
1
  • 2
    Thanks @MBehrens. Good suggestion. However, the setting was already set to Don’t enable HTTPS-Only Mode. .
    – JamesThomasMoon
    Commented May 19, 2022 at 19:49
2

tl;dr use the IP Address

IP Address

Instead of browsing to a URL of the named host, e.g. http://host, browse to the URL of the IP Address, e.g. http://192.168.1.2.

Firefox and other browsers will not forcibly insist on https protocol if Don’t enable HTTPS-Only Mode is set.

In Settings page (about:preferences), section Privacy & Security, change HTTPS-Only Mode to Don’t enable HTTPS-Only Mode

HTTPS-Only Mode

Other configurations to consider

  • in about:config page, change browser.fixup.fallback-to-https to false (thanks @ubfan1)
  • search "HTTPS" and tweak other settings until you have it

Related, browsing to the IP Address URL also allows an opportunity to skip TLS certificate checking for https connections.

Improve this answer
9
  • 2
    Wish it were true, but Firefox 106.0.4 still insists on using https on IP address connections. Even if exceptions are added to the "use https" and even if "don't use https" is checked. Maybe you have some other setting which actually will allow http?
    – ubfan1
    Commented Nov 3, 2022 at 22:33
  • @ubfan1 I tested it again and still works for me. Using Firefox 106.0.3. I have set HTTPS-Only Mode to option Don’t enable HTTPS-Only Mode. Also have setting Enable DNS over HTTPS as unchecked. Using Private setting Standard. I also tested against a site not in my Bookmarks using a quickie HTTP server python3 -m http.server 80. I was able to browse the non-bookmarked site at http://192.168.1.1:80.
    – JamesThomasMoon
    Commented Nov 4, 2022 at 0:14
  • I confirm your test works on Ubuntu 22.04/Firefox 106.0.4. My explicit problem is connecting to an old security camera -- Old TLS support only, so maybe some fallback to https before reporting https failed instead of : "connection refused" like Chrome does.
    – ubfan1
    Commented Nov 4, 2022 at 0:59
  • 1
    I found that setting browser.fixup.fallback-to-https to false in about:config will prevent the https switch to http (and reverted the dozen or so other changes I had made on various https settings). So now I get the refused connection like Chrome. I did try some TLS and SSL changes, but connection still refused. Getting an old Firefox version looks like my best bet at this time -- an old program to connect to old devices. Thanks for the help.
    – ubfan1
    Commented Nov 4, 2022 at 15:41
  • 1
    This is not a good solution. Many sites nowadays use name-based virtual hosting. The IP address alone isn't enough. The hostname is a required ingredient.
    – Daniel B
    Commented Nov 4, 2022 at 19:18
1

I realized that I was getting this same error while trying to go to http://192.168.x.x/somepage.html when actually I needed to be going to http://192.168.x.x:5000/somepage.html. When I had forgotten to include the port number, I was getting upgraded to https no matter what I tried. Once I included the appropriate port, it worked just fine with http.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .