Chrome using HTTPS when explicitly redirected to HTTP

4,468 views
Skip to first unread message

Ian Puleston

unread,
Jul 17, 2023, 1:27:54 PM7/17/23
to Chromium-discuss
Hi.

We have a device that redirects HTTP connections to a login page, and seems to be hitting an issue that looks like incorrect behavior by Chrome (probably Chromium since Edge does the same). It can be configured to redirect to HTTP or HTTPS, to use the standard or custom port numbers for those, and to redirect to its DNS host name or IP address. This issue only happens when redirecting to its host name with custom port numbers.

It happens when we change the configuration from redirecting to HTTPS, to redirect to HTTP. The redirect uses an HTTP "302 Found" status, and this is what we see.
  1. An attempt to access a website gets an  "302 Found" response with "Location: https://host-name:10281/page-name.html" (10281 is the port on which its web server is listening for HTTPS).
  2. Chrome fetches that page via HTTPS and all is hunky-dory.
  3. The device is reconfigured to redirect to HTTP on port 8021.
  4. An attempt to access a website now gets an "302 Found" response with "Location: http://host-name:8021/page-name.html".
  5. Chrome now opens an HTTPS connection to port 8021. That is reset because the device's web server is only listening for HTTP on this port.
So Chrome appears to have recorded having used HTTPS to fetch this web page, and continues to do so even after it is specifically told to use HTTP, and going to a different port number. Clearing just the cache doesn't help, but clearing everything (i.e. including history and site data) does correct the problem.

We don't see the same when redirecting to the device's IP address ("Location: http://ip-address:8021/page-name.html") or when redirecting to the standard HTTP port ("Location: http://host-name/page-name.html").

Any idea why Chrome would be doing this? It seems like a bug.

PhistucK

unread,
Jul 17, 2023, 1:33:31 PM7/17/23
to ianp...@gmail.com, Chromium-discuss
This is probably this - https://groups.google.com/a/chromium.org/g/blink-dev/c/cAS525en8XE/m/OdMMGgLXAgAJ?utm_medium=email&utm_source=footer
Another option is that the HTTPS version returned an  Strict-Transport-Security  HTTP header, which makes the browser upgrade HTTP to HTTPS automatically.
You should be able to see the redirect, though, in the developer tools network panel and it might tell you why it changed HTTP to HTTPS.

PhistucK


--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.
Reply all
Reply to author
Forward
0 new messages