NoScript HTTPS Forcing When Not Forced

Ask for help about NoScript, no registration needed to post
Post Reply
User avatar
therube
Ambassador
Posts: 7991
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

NoScript HTTPS Forcing When Not Forced

Post by therube »

NoScript HTTPS Forcing When Not Forced ?

http://blog.mozilla.org/labs/files/2011/03/do_not_fool_workflow.png

Code: Select all

[NoScript HTTPS] Forced URI https://blog.mozilla.org/labs/files/2011/03/do_not_fool_workflow.png
Similarly you can end up with Forced Channel.

https://blog.mozilla.org/labs/2011/04/protecting-users-from-an-age-old-threat/

Code: Select all

[NoScript HTTPS] Forced Channel https://blog.mozilla.org/labs/2011/04/protecting-users-from-an-age-old-threat/
Yet: noscript.httpsForced; ?

Now the http: does automatically roll over to https:, in Mozilla, Safe Mode, showing a "lock", but not colored.
But in IE the http: does load & when you attempt to load the https:, you get an security certificate warning with an option to load anyway, which it will do.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0 SeaMonkey/2.16a2
Top
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: NoScript HTTPS Forcing When Not Forced

Post by dhouwn »

Strict Transport Security
  • max-age=15768000
  • includeSubDomains
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Top
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:
Contact Thrawn

Re: NoScript HTTPS Forcing When Not Forced

Post by Thrawn »

@dhouwn: Nice one :).

With all of our client-side tools, it's easy to forget that there are server-side protections too :D.
Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Top
Post Reply

Return to “NoScript Support”