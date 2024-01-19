Vivaldi keeps using HTTPS when the setting for it is disabled
See here, the browser has HTTPS always disabled.
But this site always goes to the HTTPS version regardless of that setting
mib2berlin
@qriox
Hi, this is a bug, it is already reported and confirmed in the bug tracker.
I cant find the report at moment.
Cheers, mib
"Always use" is now inactive, even when enabled, because Chromium has now been modified to try HTTPS first in many cases, and only if that fails use HTTP (that policy can be disabled, at which time "always use" becomes active if enabled).
A separate possibility is that the site has set a HTTP Strict Transport Security (HSTS) flag for the domain. Search at vivaldi://net-internals/#hsts for information about that possibility. If set, requests to the site will always use HTTPS. (There is no pre-shipped HSTS flag for the domain, and none sent in my test, but one may have been sent earlier; incorrect ones have been known to brick sites for extended periods.)
My test shows that it loads the HTTP site, not the HTTPS site, and that the HTTPS site has an incorrect certificate (wrong name)
Found: static_sts_domain: static_upgrade_mode: UNKNOWN static_sts_include_subdomains: static_sts_observed: static_pkp_domain: static_pkp_include_subdomains: static_pkp_observed: static_spki_hashes: dynamic_sts_domain: musicfamily.org dynamic_upgrade_mode: FORCE_HTTPS dynamic_sts_include_subdomains: false dynamic_sts_observed: 1705714628.615776 dynamic_sts_expiry: 1792114628.616032 static_sts_domain: static_upgrade_mode: UNKNOWN static_sts_include_subdomains: static_sts_observed: static_pkp_domain: static_pkp_include_subdomains: static_pkp_observed: static_spki_hashes: dynamic_sts_domain: musicfamily.org dynamic_upgrade_mode: FORCE_HTTPS dynamic_sts_include_subdomains: false dynamic_sts_observed: 1705714628.615776 dynamic_sts_expiry: 1792114628.616032 static_sts_domain: static_upgrade_mode: UNKNOWN static_sts_include_subdomains: static_sts_observed: static_pkp_domain: static_pkp_include_subdomains: static_pkp_observed: static_spki_hashes: dynamic_sts_domain: musicfamily.org dynamic_upgrade_mode: FORCE_HTTPS dynamic_sts_include_subdomains: false dynamic_sts_observed: 1705714628.615776 dynamic_sts_expiry: 1792114628.616032
This is what I get from the net-internals/hsts. How do I change that "dynamic_upgrade_mode" flag?
@qriox This means that the site at one time set a HSTS flag. Later, the server config changed, and now they have effectively bricked the site for anyone who visited it in that period, as long as the entry is valid.
You can't change it, but you can delete such site-added flags in the section below the search.
BTW, the validity time for that entry appears to be 3 years
Yeah, even after deleting it still doesn't work.
@qriox Did you restart Vivaldi?
Yes, still persists, even after a restart of Vivaldi
You might want to check that you are using the correct URL, and you may need to delete some cache data (it could be that some cached information sticks around)
(and, since you have accepted that certificate, it might be that the HTTPS First policy kicks in) (I am unsure about its exact rules)
mib2berlin
With Firefox and Edge it opens, yes. So I dunno how to, say... reject the certificate on my machine?
@mib2berlin Looks like you have "always secure" enabled
@qriox Click on the "warning triangle", there is a link there to turn warnings back on.
Now I get this... Still on HTTPS tho.
It worked
DoctorG Ambassador
In my opinion a bug with Vivaldi settings.
VB-103080 "Browser always redirects to HTTPS port if available, even if "Always secure" disabled." - Won't Fix
Sad to see the bug closed.
Not want to be redirected to https in current Vivaldi?
Set a internal flag (always experimental to do this!).
Open
vivaldi://flags/#https-upgrades
Set to Disabled
Restart
DoctorG Ambassador
Currently testing a domain with and without SSL (having no HSTS!) is not available anymore.
Chrome's decision that all has to be SSL and to force users to SSL is bad.
Only webmasters and IoT manufacturers should have the right to force user's browser to redirect to SSL when it is needed!
I dislike the invisible and unknown traps which Vivaldi inherits from Google Chrome.