4

When I try to visit certain sites and force http (for good reasons that do not need to be discussed here), Safari (macOS) forces the URL to use https - and since the site currently has no https support, I can't visit the site.

There are many answers that suggest that this is related to HSTS but this does not apply in my case:

The site in question is not listed in Safari's Privacy under WebSite Data nor does it appear in the HSTS.plist file. So, there is some other cause that forces Safari to use https, and I suspect it's from the fact that Safari has previously seen me visiting the site with https and now assumes I always want to do that.

Note that when I load the URL with wget, then I get the http version just fine. That should prove that it's Safari's behavior, not the web site's.

So, beside the HSTS settings what other settings might there be that force https in Safari on macOS?

Thomas Tempelmann
  • 1,772
  • 3
  • 18
  • 37
  • Did you try other browsers? Did you look at the network traffic in the browser? – nohillside Sep 08 '20 at 17:14
  • 1
    I tried Firefox and Chrome, which both have the same unwanted behavior. I start wondering if that's caused by the server after all. The same server (mine) hosts another website where this doesn't happen, though. Also, which browser can show me a precise list of the requests it makes? They all only show me one req for https. – Thomas Tempelmann Sep 08 '20 at 17:24
  • Did you see this: https://stackoverflow.com/questions/46394682/safari-keeps-forcing-https-on-localhost – Allan Sep 08 '20 at 17:24

1 Answers1

2

I believe I have figured it out:

The site is an .app domain, e.g. domain.app. And those sites are by definition https-only. See here.

So, it's still HSTS related, but not on an individual site but for the entire ".app" TLD. And for that reason I could not find the specific domain name listed in HSTS, nor would deleting the HSTS.plist help.

Well, not sure if I should keep this question up. Maybe it helps others that run into this.

Background: It was my own site. I moved it, along with others, to a new server, and need to verify that they work with plain http. So I tested every site in http, and all but this one worked. So I assumed something wrong with the browsers.

And not only Safari but also Firefox and Chrome want to do https only.

Strangely, though, using other way to request the http site, such as the low level command wget, do not enforce the https requirement (they don't know about it, obviously), hence it misguided me into thinking the problem was a latent browser setting that I could fix.

Thomas Tempelmann
  • 1,772
  • 3
  • 18
  • 37