InformAction Forums

Add nhs.uk *.nhs.uk to list.

Go to http://www.nhs.uk/ - urlbar changes to https://www.nhs.uk/Pages/HomePage.aspx but page is http.

Go to https://www.nhs.uk/Pages/HomePage.aspx - http objects from the same domain are downloaded.

ttt wrote:Go to http://www.nhs.uk/ - urlbar changes to https://www.nhs.uk/Pages/HomePage.aspx but page is http.

It seems HTTPS to me. What did convince you of the contrary?

ttt wrote: Go to https://www.nhs.uk/Pages/HomePage.aspx - http objects from the same domain are downloaded.

No, all the images and other resources from http://www.nhs.uk are served through HTTPS for me.
Again, how did you observed what you're stating? TCP sniffing or what?

Yes, i get http content from that site (looking at tcp packets), also in the first example (redirect) there is no ssl-padlock in firefox but urlbar says https.

All other extensions disabled while testing.

Force https works on all other sites.

Confirmed. The site automatically redirects any HTTPS request to its HTTP counterpart, and NoScript doesn't act on these self-redirections.
This is hardly exploitable by an attacker, but it's nevertheless a bug which I'm investigating for a quick fix.

Fixed in latest development build 1.9.9.33.
Notice that the correct behavior implemented now obviously causes a redirect loop on stubborn sites like this, making them unusable.

Agree it is correct behaviour even if some sites become unusable, force https would be broken on those sites anyway which is bad for the user, thanks for fix!