Issue metadata
Sign in to add a comment
|
Chrome redirects http://localhost to https:/localhost via HSTS -- Please ignore localhost
Reported by
mattwert...@gmail.com,
Nov 10 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36 Steps to reproduce the problem: 1. browse to http://localhost 2. HSTS redirects to https://localhost, which doesnt work 3. What is the expected behavior? HSTS should always ignore localhost. Its only used by developers and doesnt apply to HSTS. What went wrong? I am a developer. I have my login service running on localhost using https and 2way ssl pki. My front end dev webserver is running on http. I am doing these things for valid reasons. Recently Chrome updated to version 62.3202.75 and started redirecting my http to https which doesnt work. I now have to remove localhost from HSTS everytime I run it. Did this work before? Yes the problem started when chrome updated to 62.0.3202.75 Does this work in other browsers? Yes Chrome version: 62.0.3202.75 Channel: n/a OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: HSTS should always ignore localhost.
,
Nov 11 2017
I do not think there is a reason not to apply HTTP Strict-Transport-Security to localhost. If you are sending the header, you are asking for it. Do not send the header in your development machine (or filter it). However, if it seems to be applied without (ever!) sending that header, then this is a bug. So, which is it?
,
Nov 11 2017
Thank you both for responding. I dont know about the HSTS header or how its getting added. My front end web app is running on http://localhost:8081. Some calls redirect to https://localhost:8443/ for 2 way ssl pki login with CAS which involve several back and forth redirects. Lastly I call a spring-boot web service running on https://localhost:8999 which also redirects to https://localhost:8443/cas, with redirects, and CORS mixed in. Maybe CAS or the spring boot service is injecting HSTS headers. I dont know how they get added but everytime I start the system, now after Chrome updated, I have to remove localhost from HSTS page in Chrome and then it works until I reload. I have to re-deleted the localhost from HSTS many times a day now. What would add the header? I guess if CAS or spring-boot are adding the header, then maybe I could add 3 different aliases to host file for 127.0.0.1, local-dev, local-cas, local-springboot. Thanks again for taking time to help me
,
Nov 11 2017
One of them is probably heading the header. I think this is by design for Chrome. Use different hosts instead, like you mentioned.
,
Nov 11 2017
s/heading/adding/
,
Nov 20 2017
If you look in the DevTools network panel, you can probably find out which one is adding the header and then remove that. If you do that, do you see the Strict-Transport-Security header? I agree that there's no need for a special-case here. If https://localhost is setting the HSTS header, then it is asking for just such a redirect.
,
Dec 8 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kapishnikov@chromium.org
, Nov 10 2017Components: Internals>Network