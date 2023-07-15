We will be updating the Forum on Wednesday, 18th of October between 12:30 and 14:30 (UTC) (see the time in your time zone). During this time you may experience some downtime. Thanks in advance for your patience. 🙂
Typing address ALWAYS tries http first (ignoring settings)
chinatablet
Although I have "Always use secure connection (HTTPS) checked, if I type in an address (ex: google.com), it ALWAYS tries "http://google.com" first and then (presumably because the target site has rules for it) switches to "https".
I'm worried this is a potential security hole, attempting to connect to a secure site (which supports https) via http first.
I realize some sites still do not support https, and perhaps it could try that (http) SECOND, if https didn't work?
Thanks in advance
@chinatablet I don’t know the reason, but I wouldn’t call it a security problem. In the end you are still securely connected to the target page. And viewing http pages is perfectly fine too, just don’t input any passwords/info.
By the way, Firefox seems to handle it much the same.
@chinatablet
there is/was(?) an feature request from years ago to set https as default for new tabs, but I don't find it anymore.
so that's a longterm "problem"
Actually I think this feature is broken in Vivaldi at the moment, and it was broken in 6.0 from what I can tell going back in the versions. It works as expected in 5.7.
A quick test is just going to a domain that listens on both http and https but does not do a redirect itself.
Examples:
http://example.com
http://interlex.it
http://techenclave.com
http://relaxedserenebrightspell.neverssl.com/online/
http://httpforever.com (will warn if setting works as cert is invalid)
You would expect pasting those urls into the address bar or just typing the domain with the setting enabled, it would redirect to the https page, but it does not. It does toggle the setting at
chrome://settings/securityso it's not as simple as that.
Seems to work as expected in Chromium 114 so it can't be a Chromium/upstream issue.
Interestingly, in DevTools, even in Chrome/Chromium, it still shows a request to
http://and weirdly after the
https://request but that's probably some Devtools/Chromium quirk, there's no actual request going out on port 80... it shows as Other/Pending.
I'll try to pester some devs, as I'm not sure if I'm misunderstanding something, but it looks broken to me.
DoctorG Ambassador
@chinatablet Yes, broken in 6.1.3035.111 and 6.2.3077.3 .
Report was made to tracker.
VB-98893 "Not redirected to SSL even if set in settings for Address Bar"
chinatablet
@Pathduck Thanks for those "http only" sites. I'll keep them for future testing/use!
DoctorG Ambassador
Perhaps related to internal Chromium flag vivaldi://flags/#https-first-mode-v2
DoctorG Ambassador
@DoctorG said in Typing address ALWAYS tries http first (ignoring settings):
VB-98893 "Not redirected to SSL even if set in settings for Address Bar"
Work in progress, i checked, it is already fixed in a internal 6.4.xxxx.
Now, let us wait for an update of 6.2 or 6.3.