Feature Request: Allow disable/override HSTS
-
Feature Request: Allow disable/override HSTS
I have a simple Feature Request: allow users to disable HSTS-Compliance of vivaldi at least at the Experimental settings.
I really love vivaldi. But it is also really anoying that I need to use a different browser (Firefox in my case) to access certain web sites.
For me vivaldi would get even closer to perfect, if I could use it for all sites, no matter if the site requires HSTS or not.
-
@MichaelMaier Hi - see Settings > Address Bar > Always Use Secure Connection.
This basically toggles the same setting in the Chromium settings page:
chrome://settings/securityI always disable it in Vivaldi, as I find HSTS useless and prone to failing.
-
@Pathduck for me, this didn't solve the issue.
I am able to use a non-HTTPS company (i.e. internal) site with firefox.
With Vivaldi I get a "ERR_SSL_PROTOCOL_ERROR" although I am using http: not https:
It says the response was invalid. German error message:Diese Website kann keine sichere Verbindung bereitstellen xxxxx hat eine ungültige Antwort gesendet. Versuchen Sie eine Windows Netzwerkdiagnose durchzuführen. ERR_SSL_PROTOCOL_ERRORAny ideas?
-
You can query and to some extent add/delete HSTS (for non-pre-loaded policies) in the Domain Policy section of the chrome://net-internals page.
Always use secure connection is not related to HSTS, but a policy for all URLs, and can be controlled from the Vivaldi Settings for the Address Bar. This setting is by default disabled, because it does cause some issues
If the internal site has a host name below the public domain, e.g. myhost.internal.example.com and your sysadmin has configured HSTS for the domain and subdomains (or worse, had it preloaded in the browser), then all servers, including the internal ones have to use HTTPS.
If a HSTS policy has been configured by the websites (not preloaded in browser) the policy can be removed in the Domain Policy settings page mentioned above. However, the next time you visit the externally visible sites of the company, the policy will be re-added.
If this is the case for your internal sites, then the only scalable solution is for your sysadmins either remove the HSTS policy from the public sites (not a good idea) , or to update ALL internal servers to HTTPS (better, but a lot of work).
-
Supporting that request.
Please take a note on how FireFox (simply) does it:
Warning, extend information and then:
Give the user a choice.As developer, we need to be able to access "unsecure" sites, which are simply unsecure, because they run local, or redirected via host file and in development.
Do not create artifical barriers for advanced users.
Or worse - make things super complicated which costs time. -
@vonSeiten I do not think you can override all broken SSL certs, DNS and web server settings while you "test" web apps and sites.
Typing thisisunsafe on the page (do not select address field!) when warning page appears does not work for you?
⇒ https://cybercafe.dev/thisisunsafe-bypassing-chrome-security-warnings/
