Force https problem

[ttt]

Add nhs.uk *.nhs.uk to list.

Go to http://www.nhs.uk/ - urlbar changes to https://www.nhs.uk/Pages/HomePage.aspx but page is http.

Go to https://www.nhs.uk/Pages/HomePage.aspx - http objects from the same domain are downloaded.

[Giorgio Maone]

Go to http://www.nhs.uk/ - urlbar changes to https://www.nhs.uk/Pages/HomePage.aspx but page is http.

It seems HTTPS to me. What did convince you of the contrary?

Go to https://www.nhs.uk/Pages/HomePage.aspx - http objects from the same domain are downloaded.

No, all the images and other resources from http://www.nhs.uk are served through HTTPS for me.
Again, how did you observed what you're stating? TCP sniffing or what?

[ttt]

Yes, i get http content from that site (looking at tcp packets), also in the first example (redirect) there is no ssl-padlock in firefox but urlbar says https.

All other extensions disabled while testing.

Force https works on all other sites.

[Giorgio Maone]

Confirmed. The site automatically redirects any HTTPS request to its HTTP counterpart, and NoScript doesn't act on these self-redirections.
This is hardly exploitable by an attacker, but it's nevertheless a bug which I'm investigating for a quick fix.

[Giorgio Maone]

Fixed in latest development build 1.9.9.33.
Notice that the correct behavior implemented now obviously causes a redirect loop on stubborn sites like this, making them unusable.

[ttt]

Agree it is correct behaviour even if some sites become unusable, force https would be broken on those sites anyway which is bad for the user, thanks for fix!