chrome forcing https on a website that only uses http. Have to delete domain name in net-interals

[Patrick Perri]

Happening on multiple computers (over 50).  Both Windows and Macs.  Just started about 3 weeks ago.  Website did not change when it started happening..

Even if we change the site link to http://server.domain.com in the link bar, Chrome forces it to HTTPS and we can not get to HTTP, Chrome just keeps changing it back to HTTPS

  We keep having to go into chrome://net-internals/#HSTS and "Delete domain security policies"  for the domain.  

The site having the issue is a subdomain of domain.com, and some application servers at the top level domain e.g. www.domain.com do have HTTPS enabled, but this is not the same servers as www, this is just an internal application.

But this site server.domain.com does not use https, and only has http setup and will not support HTTPS.  

The web server application on this server is not configured to accept Https connections and cannot be configured to do so.  

How can we force domain.com to stay out of the domain security policies so chrome stops forcing the browser to https for the site server.domain.com

We make the change and then within a few days, it goes back to forcing https again.

Is there a script or a place to put a config into Chrome so it stops re-applying the domain security policy to this site?

[Torne (Richard Coles)]

Probably domain.com is sending HSTS headers that set "includeSubDomains", which means that as soon as someone visits https://domain.com they will get the entry created there and it will apply to all your subdomains. You need to fix the HSTS configuration on domain.com if that's the case.

Chrome only applies the security policy when it is told to by the owners of the site.

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss