Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: ChrisJenkins
ChrisJenkins Author
User level: Level 1
80 points

Safari forcing HTTPS for some HTTP only sites

I have a strange issue with Safari (7.0.1 on Mavericks 10.9.1). It is similar to a few other issues that folk have posted about here but I am opening a separate post because some of the details are different. Please read to the end before suggesting I try disabling extensions, clear cache etc.


This issue is affecting only one user on one Mac (we have several users and several Macs).


We host our own web-site using OS X Server (Mavericks / Server 3.0). Soem areas of the site support both HTTP and HTTPS access. For example:


Live (public) site


http://www.ourdomain.com (on port 80)

https://www.ourdomain.com (on port 443)


and


Test (internal) site

http://www.ourdomain.com:81

https://www.ourdomain.com:444


and


Intranet (internal)


http://www.ourdomain.com:8080


Most areas of the site do not require HTTPS protection and in particular for the Test site both the htp and the https versions have explicit ports. For the Intranet site there is no HTTPS version. For the live and test sites, a certain sub-set of the site requires user authentication and I have redirects setup to redirect access to just those areas via the HTTPS URL which also enforces user authentication.


This setup all works fine, except for this one user on this one machine and only when they use Safari (Chrome and FireFox are fine)...


They have Safari bookmarks saved for the HTTP URLs and after a while:


1. These bookmarks start referring to tthe HTTPS URLs. The actual bookmarks get changed and the http gets changed to https! In the case of the Test and Intranet sites these URLs are not even valid. So, the bookmarks no longer work. If we edit the bookmarks and change them back to http they immediately revert back to https!


2. If one types the HTTP URL directly into the address bar then Safari ignores the HTTP and instead tries to go to the HTTPS version of the URL.


Basically, there is no way to get Safari to access the HTTP versions of any of these URLs with the resuklt that the Test and Intranet sites are unusable.


This user only has the same extensions as other users have and they all work okay. We have tried disabling extensions but it does not resolve the issue. Doing a full reset of Safari will resolve the issue temporarily but this deletes a lot of stuff, such as History, that the user does not want deleted. And the issue always recurs after a while anyway.


Does anyone have any idea what is causing this behaviour and how to prevent it? It is driving me and the affected user mad!

iMac, OS X Mavericks (10.9)

Posted on Feb 9, 2014 6:09 AM

Reply
Question marked as Best reply
User profile for user: ithos
ithos
User level: Level 1
24 points

Posted on Feb 9, 2017 8:04 PM

I realize this is an old thread, but I hope this helps someone in the future...


This problem infuriated me for a long time. As you suggest, Safari will cache HTTP Strict-Transport-Security requests from websites and automatically switch to https in the future. This creates a lot of problems when you are running multiple different servers on `localhost`, some of which request it, and others that don't. In my case, it caused connections to my Jupyter notebooks to fail after I had tunneled connections to other sites through ssh.


There are old posts elsewhere on the web that suggest quitting Safari, deleting ~/Library/Cookies/HSTS.plist, and restarting Safari will resolve the issue. This didn't work for me on macOS Sierra because the HSTS settings were being cached and the file would be recreated. In my case, I had to


  1. Quit Safari
  2. In Terminal, `rm ~/Library/Cookies/HSTS.plist`
  3. Immediately reboot before some background service reconstructed the file


I filed a report with Apple suggesting that HSTS not be saved for localhost, which isn't really a domain anyway. Don't know if they will acknowledge.

View in context
32 replies
User profile for user: n8vision
n8vision
User level: Level 1
8 points

Jul 9, 2016 9:25 AM in response to ChrisJenkins

This fixes it in the latest safari (July 2016):


- Quit safari

- Edit this file : ~/Library/Cookies/HSTS.plist and remove the entry that is causing trouble, or if you're feeling bold delete the whole file (which contains 100s of entries for me), but be warned apple has this feature in place for your safety so editing preferred.

- DON'T reopen safari (it caches the file). Instead restart your mac.


Now it should work next time you open safari 🙂

Reply

Safari forcing HTTPS for some HTTP only sites

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up