Where did you install Firefox from? Help Mozilla uncover 3rd party websites that offer problematic Firefox installation by taking part in our campaign. There will be swag, and you'll be featured in our blog if you manage to report at least 10 valid reports!

Avatar for Username

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

Learn More

话题已存档。 如果需要帮助请提出新问题。

Why does Strict-Transport-Security not work on Firefox for Android?

  • 1 个回答
  • 1 人有此问题
  • 4 次查看
  • 最后回复者为 wiwouchu

wiwouchu
wiwouchu
more options

Our internal server sends the Strict-Transport-Security header but it does not work on Firefox for Android. It works on the PC but not on the mobile phone. Max-Age is set to 31536000 seconds (1 year). Now when I access our servers via https, the browser saves the HSTS policy. Now I close Firefox on the PC and then I open Firefox and press F12 to see the connections. If I now access http://example-internal-server.local the browser overwrites the request with HTTPS as expected.

But on Firefox for Android it doesn't work as expected. On my mobile I open https://example-internal-server.local again so that the browser can save the HSTS policy. Now I close Firefox and reopen Firefox. Now I visit http://example-internal-server.local and expect Firefox to automatically convert the unsafe request to HTTPS because of HSTS. Which he's not. What's going on here?

Our internal server sends the Strict-Transport-Security header but it does not work on Firefox for Android. It works on the PC but not on the mobile phone. Max-Age is set to 31536000 seconds (1 year). Now when I access our servers via https, the browser saves the HSTS policy. Now I close Firefox on the PC and then I open Firefox and press F12 to see the connections. If I now access http://example-internal-server.local the browser overwrites the request with HTTPS as expected. But on Firefox for Android it doesn't work as expected. On my mobile I open https://example-internal-server.local again so that the browser can save the HSTS policy. Now I close Firefox and reopen Firefox. Now I visit http://example-internal-server.local and expect Firefox to automatically convert the unsafe request to HTTPS because of HSTS. Which he's not. What's going on here?

由wiwouchu于修改

所有回复 (1)

wiwouchu
wiwouchu 提问者
more options

Okay, the problem is now half solved but only half solved. I had to create a PTR record for the domain. Now it works on the stable (default) Version of Firefox 60.0 on my mobile.

The new problem is now: How can I make it work in Firefox Nightly on my mobile phone? It does work on Nightly on the PC but not on my mobile. Or does Strict Transport Security (HSTS) generally not work on Nightly?

由wiwouchu于修改