V 6.7 | Forces HTTPS
-
@jure I think this happens in your case only if no scheme (the http://) was typed at start of address field, right?
-
@mib2berlin: Flags did not help, unfortunately.
@DoctorG: this is the address: http://wolverine.si/hp1000se/indexDesktop.php
It is my weather station home page and when browser forces HTTPS: then random blocks on the page will not load for some reason. Just spinning globe symbols. It's random and we never could figure out the cause for that.
HTTP: works, though. I tried all kinds of things setting up the page, there are no redirects and such...Thank you for trying to help!
-
@jure Really strange.
Vivaldi 6.7.3329.17 (has Chromium core 124.0.6367.90) forces HTTPS.
Whereas Chromium 124.0.6367.79 does not. And Edge 124 does not.For me looks lik a bug in Vivaldi 6.7 as if have in Settings → Address Bar → Security Feataure → Always use SSL set to off.
-
Disabling the flag for
https-first
used to work, but is no longer in Chromium 124.I'd agree this is a bug in Vivaldi - it should work like users expect - like other browsers. However I'm not sure @yngve agrees on this point... this has been up for discussion on the forum several times. It's just Vivaldi's url field works differently apparently.
-
@Pathduck Any bug report on this?
-
@Pathduck Reaklly broken in Vivaldi, if i use http://myserver , (myserver is a local IP and hostname of web server) it is not redirected to https://myserver - as desired by me.
-
@Pathduck said in V 6.7 | Forces HTTPS:
https-first used to work, but is no longer in Chromium 124
Or do you mean, "It doesn't Work"
? -
-
@Pathduck said in V 6.7 | Forces HTTPS:
will just be closed as "Won't Fix"
And yes, that's what i fear, too.
-
@Pathduck said in V 6.7 | Forces HTTPS:
chrome://flags/#https-upgrades
No longer exists in Chromium 124.Reappears only if vivaldi://flags/#temporary-unexpire-flags-m122 is set to Enabled.
But as such is unexpire flag is experimental, it is not really a longterm workaround. Why not long-term? Because Chromium devs can remove it completely in a next core version. -
@jure
As a webdev, programmer ans server admin i do not understand why users run a websites with and without SSL, but have broken mixed content in the SSL driven pages.
Very old content with http://-links and then after years added SSL for the domain? Broken web content generator? Broken CMS? -
@jure Can get it working!
the Temperatura graph in pane shows up if i use Private Window and select or switch in dropdown between Temperatura and others.I had no detected why this happens.
//EDIT at 18:10 CEST:
Really crazy, works all if i start Vivaldi Stable in cmd.exe command line without Vivaldi UI and a clean profile (making no settings or adding extensions!) with this command
start vivaldi --disable-vivaldi --user-data-dir="%TEMP%\TEST123"
OK, i will report that to internal bug tracker and ping QA and internal tester team.
VB-105961 "Active Vivaldi UI breaks loading of page" - Confirmed
-
Seems Vivaldi only does not allow to load the content, because it uses HTTPS first. Differs from Chromium 124 and Edge 124. Sad.
I do not know if Vivaldi devs want to fix their security feature. As @Pathduck mentioned, my report could become "Won't Fix" -
@DoctorG The reason for the difference is that Chrome and Edge uses the Chromium Omnibox address-bar, which has hardcoded logic that adds specific flags into calls starting the page load; that is either difficult or impossible without extensive hackery of the Vivaldi JS address-bar.
IMO (one might probably say IMNSHO) if the server have both HTTP on port 80 and HTTPS on port 443 configured, then one should make the server on 443 the primary one (and redirect there from 80). The "problem" only occurs if one mixes the two, and expect to get to port 80. You will get to port 80 iff there is no open port 443.
-
@yngve said in V 6.7 | Forces HTTPS:
IMO (one might probably say IMNSHO) if the server have both HTTP on port 80 and HTTPS on port 443 configured, then one should make the server on 443 the primary one (and redirect there from 80). The "problem" only occurs if one mixes the two, and expect to get to port 80. You will get to port 80 iff there is no open port 443.
This is not a valid assumption. Webservers can serve both http sites and https sites. Just because a webserver has port 443 open does not mean that particular site is configured for or even capable of https. Further, closing port 443 on the webserver would break any site that does use https.
-
@BunxBun Of course, some server admins want to be difficult, and thus make difficulties for themselves (and their users).
My point is that in normal 80&443 deployments everything on port 80 should be mirrored by port 443; in fact, in most cases the only thing on 80 is a configuration to redirect everybody to 443.
-
@yngve The fact remains that there's probably hundred thousands of small misconfigured sites like this one out there - where it's listening on 443, has a valid certificate but simply does not work properly because the admins have made some mistake in the setup.
But users have their bookmarks pointing to HTTP, and they need to check their local weather. They have absolutely zero interest that HTTP is "insecure", that their ISP and every intermediate router can see their data or there's a risk for a MITM attack (not that they know what that is anyway).
They never look at the address bar and wouldn't even know what the padlock signifies. They just want to check their weather report.
And they install Vivaldi, they try their usual sites and it breaks.
Then they try in Chrome or in their system default browser (Edge in most cases), it works fine there and they just conclude that Vivaldi is broken and loses a user. -
@Pathduck said in V 6.7 | Forces HTTPS:
They just want to check their weather report
-
The Settings → Address Bar → Security Features → Always Use Secure Connection (HTTPS) is completely nonsense for me as, it does not deactivate the Forced HTTPS
When Vivaldi does uses forced HTTPS, i fear that users will use an other browser as Ungoogled Chromium, Edge, Firefox or Brave or leave Vivaldi as their browser.
-
@Pathduck said in V 6.7 | Forces HTTPS:
@yngve The fact remains that there's probably hundred thousands of small misconfigured sites like this one out there - where it's listening on 443, has a valid certificate but simply does not work properly because the admins have made some mistake in the setup.
There's an old IETF saying, which used to be a philosophical foundation of internet communications:
"Be strict in what you send, permissive in what you will receive"
The "least damage" attitude to global communications.
Nowadays we have the web browser "ecosystem" nannying us to the "lowest common denominator" of user which would literally punch themselves in the face all day long with their ignorance of the online world, and the internet clients thus dumb the whole process down as if everyone is one of those people. "For their own safety".
Over the last few years I lost count of how many online services "for my safety" forced all sorts of new draconian but effectively pointless or worse than pointless "security theater" measures on my longstanding old accounts that had never had a breach or security issue in decades of ownership. In some cases these measures literally resulted in those accounts getting deleted or wiped because I didn't discover until after the short transition period that if I didn't flip some button or tick some box they would just assume I was dead and delete all my stuff I had collected there over the years over it.
Just lovely.