Can't use HTTP - forced to HTTPS

  • 1
  • Problem
  • Updated 5 years ago
Due to the mixed content issue on recent Chrome/Firefox (discussed elsewhere), I want to set Newsblur to use HTTP rather than HTTPS. I don't mind my newsreading habits being public.

There is a setting in preferences that selects between insecure and secure but it appears to have absolutely no effect. In fact, even the NewsBlur homepage (un-logged in) loads up as HTTPS.

Is this 'insecure' setting now retired in favour of forcing everyone onto HTTPS (a decision I understand, although irritating now that Newsblur seems to not work properly with current versions of two major browsers)? If so, you probably want to remove the setting.
Or is this a bug/user error and insecure connections should work?

I'm on Chrom 38.
Photo of Will

Will

  • 26 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
It's a bug that I can't seem to kill. I added a HSPS header to my HAProxy SSL config, which had the effect of forcing some browsers to switch to https from http, as that's kind of what the header says. I took it out a day later, but browsers cache that header aggressively. I have not yet found a way to force browsers to re-cache the headers on http.

I've tried deleting the HSPS.plist file for Safari, but that did not seem to have an effect. Firefox has an `about:cache` setting that cna toggle it, as can Chrome. If somebody figures out a way to invalidate the HSPS cache for NewsBlur and then tests whether or not their browser still tries to use https over http, let me know.
Photo of Will

Will

  • 26 Posts
  • 0 Reply Likes
[I'm assuming you mean HSTS rather than HSPS?]

I just closed NewsBlur then flushed all of the Chrome cache and loaded it back up and it has come back as normal HTTP, so it looks like you've got the cause of the problem right (and it's fixed for me).

I think what you need to do is set the header again, but with max-age set to 0. That should cancel the STS behaviour and remove it from the cache.
Look at section 6.1.1 in http://tools.ietf.org/html/rfc6797.
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
Yes, thank you Will! I'll do that shortly.
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
Bingo, that fixed it.

For anybody else, http now works, although you might have to refresh it once to get it to work, which is unfortunate. When you hit http right now, the https header is still there, so you'll get redirected back to https. But when you hit http again, it'll work.

Alternatively, just reload the https site and then http will work.