[Webkit-unassigned] [Bug 138535] HTTP only page being forced to HTTPS

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Nov 8 10:23:01 PST 2014


Alexey Proskuryakov <ap at webkit.org> changed:

           What    |Removed                     |Added
                 CC|                            |ap at webkit.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Alexey Proskuryakov <ap at webkit.org> ---
I cannot reproduce this issue, http://devicefinder.eleboards.com opens normally in Safari on OS X Yosemite for me.

Is there an entry for eleboards.com in your ~/Library/Cookies/HSTS.plist file? This behavior is consistent with eleboards.com previously sending a Strict-Transport-Security HTTP response header to you - if it was marked "with subdomains", then devicefinder.eleboards.com is also subject to the restriction.

I verified that eleboards.com doesn't send this header now, so it was probably a temporary mistake made by the webmaster. Alternatively, only some pages on the site have it, and I just didn't happen to open the ones that do. One way or another, this is correct behavior for a web browser. All browsers that have seen such a response in the past will be affected.

Please see <http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security> for more information about strict transport security.

A workaround is to remove the HSTS.plist file, and then execute this command from Terminal:

killall -9 cookied

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141108/e948b8eb/attachment-0002.html>

More information about the webkit-unassigned mailing list