V 6.7 | Forces HTTPS
-
-
@Pathduck said in V 6.7 | Forces HTTPS:
will just be closed as "Won't Fix"
And yes, that's what i fear, too.
-
@Pathduck said in V 6.7 | Forces HTTPS:
chrome://flags/#https-upgrades
No longer exists in Chromium 124.Reappears only if vivaldi://flags/#temporary-unexpire-flags-m122 is set to Enabled.
But as such is unexpire flag is experimental, it is not really a longterm workaround. Why not long-term? Because Chromium devs can remove it completely in a next core version. -
@jure
As a webdev, programmer ans server admin i do not understand why users run a websites with and without SSL, but have broken mixed content in the SSL driven pages.
Very old content with http://-links and then after years added SSL for the domain? Broken web content generator? Broken CMS? -
@jure Can get it working!
the Temperatura graph in pane shows up if i use Private Window and select or switch in dropdown between Temperatura and others.I had no detected why this happens.
//EDIT at 18:10 CEST:
Really crazy, works all if i start Vivaldi Stable in cmd.exe command line without Vivaldi UI and a clean profile (making no settings or adding extensions!) with this command
start vivaldi --disable-vivaldi --user-data-dir="%TEMP%\TEST123"
OK, i will report that to internal bug tracker and ping QA and internal tester team.
VB-105961 "Active Vivaldi UI breaks loading of page" - Confirmed
-
Seems Vivaldi only does not allow to load the content, because it uses HTTPS first. Differs from Chromium 124 and Edge 124. Sad.
I do not know if Vivaldi devs want to fix their security feature. As @Pathduck mentioned, my report could become "Won't Fix" -
@DoctorG The reason for the difference is that Chrome and Edge uses the Chromium Omnibox address-bar, which has hardcoded logic that adds specific flags into calls starting the page load; that is either difficult or impossible without extensive hackery of the Vivaldi JS address-bar.
IMO (one might probably say IMNSHO) if the server have both HTTP on port 80 and HTTPS on port 443 configured, then one should make the server on 443 the primary one (and redirect there from 80). The "problem" only occurs if one mixes the two, and expect to get to port 80. You will get to port 80 iff there is no open port 443.
-
@yngve said in V 6.7 | Forces HTTPS:
IMO (one might probably say IMNSHO) if the server have both HTTP on port 80 and HTTPS on port 443 configured, then one should make the server on 443 the primary one (and redirect there from 80). The "problem" only occurs if one mixes the two, and expect to get to port 80. You will get to port 80 iff there is no open port 443.
This is not a valid assumption. Webservers can serve both http sites and https sites. Just because a webserver has port 443 open does not mean that particular site is configured for or even capable of https. Further, closing port 443 on the webserver would break any site that does use https.
-
@BunxBun Of course, some server admins want to be difficult, and thus make difficulties for themselves (and their users).
My point is that in normal 80&443 deployments everything on port 80 should be mirrored by port 443; in fact, in most cases the only thing on 80 is a configuration to redirect everybody to 443.
-
@yngve The fact remains that there's probably hundred thousands of small misconfigured sites like this one out there - where it's listening on 443, has a valid certificate but simply does not work properly because the admins have made some mistake in the setup.
But users have their bookmarks pointing to HTTP, and they need to check their local weather. They have absolutely zero interest that HTTP is "insecure", that their ISP and every intermediate router can see their data or there's a risk for a MITM attack (not that they know what that is anyway).
They never look at the address bar and wouldn't even know what the padlock signifies. They just want to check their weather report.
And they install Vivaldi, they try their usual sites and it breaks.
Then they try in Chrome or in their system default browser (Edge in most cases), it works fine there and they just conclude that Vivaldi is broken and loses a user. -
@Pathduck said in V 6.7 | Forces HTTPS:
They just want to check their weather report
-
The Settings → Address Bar → Security Features → Always Use Secure Connection (HTTPS) is completely nonsense for me as, it does not deactivate the Forced HTTPS
When Vivaldi does uses forced HTTPS, i fear that users will use an other browser as Ungoogled Chromium, Edge, Firefox or Brave or leave Vivaldi as their browser.
-
@Pathduck said in V 6.7 | Forces HTTPS:
@yngve The fact remains that there's probably hundred thousands of small misconfigured sites like this one out there - where it's listening on 443, has a valid certificate but simply does not work properly because the admins have made some mistake in the setup.
There's an old IETF saying, which used to be a philosophical foundation of internet communications:
"Be strict in what you send, permissive in what you will receive"
The "least damage" attitude to global communications.
Nowadays we have the web browser "ecosystem" nannying us to the "lowest common denominator" of user which would literally punch themselves in the face all day long with their ignorance of the online world, and the internet clients thus dumb the whole process down as if everyone is one of those people. "For their own safety".
Over the last few years I lost count of how many online services "for my safety" forced all sorts of new draconian but effectively pointless or worse than pointless "security theater" measures on my longstanding old accounts that had never had a breach or security issue in decades of ownership. In some cases these measures literally resulted in those accounts getting deleted or wiped because I didn't discover until after the short transition period that if I didn't flip some button or tick some box they would just assume I was dead and delete all my stuff I had collected there over the years over it.
Just lovely.
-
@yngve Yes, Vivaldi uses Foreced HTTPS.
But please explain why that happens with FQDNs which have a domain but not with hostnames?
In my LAN the URLmywebserver
orhttp://mywebserver
is not redirected tohttps://mywebserver
But the last has SSL, but not HSTS!
Behaviour of Vivaldi is not really consistent for me. -
@DoctorG said in V 6.7 | Forces HTTPS:
Always Use Secure Connection
IIRC, and as I have mentioned before, that one takes second place to the HTTPS First now.
-
@DoctorG said in V 6.7 | Forces HTTPS:
In my LAN the URL mywebserver or http://mywebserver is not redirected
At present it seems that Chromium is excluding non-unique hostname (no domain, or not a registry controlled TLD) from HTTPS First. This seems conditioned on feature HttpsFirstModeV2ForTypicallySecureUsers, which is currently disabled by default.
-
@yngve Ah, a internal exlucsion of unknown TLD and hostnames, that explains why that works in Vivaldi.
Thanks for background information -
@Pathduck Something like that, yes. In this case the webpage is mine, although I did not construct it. Some kind soul, another weather enthusiast, programmed everything and even made it user friendly so I and many others could set it up with the many blocks available.
I am simply lacking the necessary knowledge to make the site work as it should - securely. Obviously, there is something wrong, an error somewhere but so far I was unable to find it.
Anyway, thanks for trying to help, I'll keep on digging and hopefully learn a thing or two in the process.
-
Just tested the weather station page yesterday on Linux and Windows (tested with fresh install/profile).
The results:️Never ending load with:
- Vivaldi 6.7.3329.19
- Vivaldi 6.7.3329.21
Loads and does not force Https:
- Chrome 124.0.6367.91
- Chrome Beta 125.0.6422.14
- Chrome Unstable 126.0.6439.0
- Chromium 124.0.6367.78/79
- Edge 124.0.2478.67
- Firefox 125.0.2 (64-Bit)
-
Now the site fails to load completely with Chromium 124.0.6367.119, too.
Oh, works again 124.0.6367.119 Win 11.