How to disable strict transport security?

[Cryvage]

How to completely disable strict transport security in noScript? I found that it can be disabled by turning "false" the "noscript.STS.enabled" option in "about:config". But there is no such option. So information is incorrect or outdated. I've tried to add new parameter with this name, and "false" value. But it's not working.
I have a problem to access to http://download.cdn.mozilla.net/. This site not the first and not the only with these problem. It's just "last drop". At first I think, that it's a problem of firefox itself. But all works fine, if I disable noScript.
P.S I don't need any "security" tweaks from noScript addon. All I need is ability to disable some scripts on some sites.
P.P.S. Please, I don't need advise of how to access this site, that I mentioned. I really need to disable the strict transport security. Disable it completely and forever.

[barbaz]

P.S I don't need any "security" tweaks from noScript addon.

You do realize that security is the whole point of NoScript right?
Everything else it does is side effects of "security tweaks".

All I need is ability to disable some scripts on some sites.

https://addons.mozilla.org/addon/yesscript/

[therube]

I found that it can be disabled by turning "false" the "noscript.STS.enabled" option in "about:config".

Where?
I gather that information is dated & no longer applicable.

I have a problem to access to http://download.cdn.mozilla.net/

Mozilla itself stores (HSTS) related data in the file, SiteSecurityServiceState.txt, found in your Profile folder.


Also there was an issue on the Mozilla end pertaining to the URLs they were using, something along these lines, Bug 1257214 - Thunderbird Bouncer links go to download.cdn.mozilla.net, showing cert error page.

Idea being that if you used https://download.cdn.mozilla.net/ you are greeted with an "Untrusted" warning & not able to proceed, where the non-secure, http://download.cdn.mozilla.net/ (or alternative URL) were OK.


If you happen to have download.cdn.mozilla.net listed in your SiteSecurityServiceState.txt file, exit FF, edit SiteSecurityServiceState.txt with a text editor, remove that line, save the file, restart FF & test.
(Won't hurt to backup first.)


Also you might look & see if you happen to have the file, NoScriptSTS.db laying around in your Profile folder. If so, suppose it can't hurt to exit FF, then rename the file (to something like, NoScriptSTS.db.NOT). (Though I'm thinking unless you're using a quite dated version of NoScript, it wouldn't apply anyhow?)

[barbaz]

Actually, I didn't pay attention the specific site in question No HSTS there, that's httpsDefWhitelist in action again.

Probably an exception for download.cdn.mozilla.net should be default?



For those who actually like security:

NoScript Options > Advanced > HTTPS > Behavior
add download.cdn.mozilla.net in its own line under "Never force ..."

[Cryvage]

For those who actually like security:

NoScript Options > Advanced > HTTPS > Behavior
add download.cdn.mozilla.net in its own line under "Never force ..."

Yes, it solve the problem. Setting DefWhitelist to "false", also works. In my case I've choosen the second. I really always do manually type the protocol of the page (an old habit), and always check the protocol of current page before enter some private data (also an old habit).

Answering your first question, yes I reallize, that NoSript does a lot for security reasons. But it still called "NoScript". Not "YesSecurity". HTTP(S) and scripts. Nothing in common like for me. When I encountered the problem, I even didn't think about NoScript addon. I've created a new profile and start to add addons one by one. That's how I realized that NoScript is the cause. And that's why I say, that I don't need any "security" tweaks from NoScript addon. Because It's called "NoScript", and it's completely not clear, that it would force HTTPS, or something like this. If I'll need this, I'll install "HTTPS Everywhere" for example. It's not like I didn't care about security. I just use the other tools and techniques to achieve it. It's all about habits.

Thanks for your help. The problem is solved. And I'm sorry for my negative. I like NoScript. And I thankful for all people, that involved in its development and support.

[barbaz]

You're welcome, glad we could help.

[therube]

that's httpsDefWhitelist in action again

So what happens with that?
If true, sites in noscript.default are forced https, or... ?

[barbaz]

If true, sites in noscript.default are forced https

This ^

[therube]

OK. And mozilla.net is included in noscript.default.

But just what does "mozilla.net" match to?
Only mozilla.net?
Or does it also match "cdn.mozilla.net" & how about "download.cdn.mozilla.net"?

If all three (& potentially more), then why, with noscript.httpsDefWhitelist;true, does (http://) download.cnd.mozilla.net open on my end without issue?

If only "mozilla.net", why would noscript.httpsDefWhitelist;true be blocking the OP?
(And assuming he does not have [download.]cdn.mozilla.net on his noscript.default list.)
Or is it not, actually?
Maybe he has forced HTTPS for all sites?
And for this instance, has put in a specific bypass for download.cdn.mozilla.net.
Or...?

[therube]

Code: Select all

	<therube>	barbaz: new Profile, install NoScript, visit http://download.cdn.mozilla.net/, "fails" (This Connection is Untrusted)
	<therube>	so by "failing", it is doing as expected
	<therube>	so the question then is, what in my existing Profile is allowing it to succeed, allowing the http: to open?
	<therube>	barbaz: removing mozilla.net from the whitelist (capability.policy.maonoscript.sites) does it.

This is related: httpsDefWhitelist affects more than just default whitelist