Pale Moon forum

When accessing a resource like local.mysite.com/something hosted locally, the browser converts the request to HTTPS one. This results in SSL errors because generally development machines are not SSL/TLS enabled.
Please remove this feature. I don't think anyone would require this, so it can be disabled without any preference controlling it.

I guess this is being done using HTTS? If yes, disabling that is not an option.
I'd also like to know what the rationale was behind this (why did FF/Chrome implement this)?

adesh wrote:When accessing a resource like local.mysite.com/something hosted locally, the browser converts the request to HTTPS one.

I've never seen such behavior, having both http and https running on localhost.

HSTS is usually declared domain-wide with subdomains. If you enable HSTS for your domain that way, then you must make sure everything on that domain is HTTPS, including "local" hosts. There is no distinction between behavior depending on what a host resolves to.
If you want to be more selective, then you must only set HSTS headers on specific hosts and exclude subdomains.

The rationale behind this is the standard. see RFC 6797

JustOff wrote:I've never seen such behavior, having both http and https running on localhost.

I forgot to put that in my post. Accessing the site via localhost kind of works, but that limits my machine's ability to serve multiple domains with their own configuration. URL router also gets messed up if, for example, both api.mysite.com and web.mysite.com are accessed using localhost.

Ok, so HSTS is indeed enabled for our domain including subdomains (I talked with our admin). Confusion was because I was not seeing this behaviour in older Basilisk. Now, things are clearer. But still no solution, other than disabling the list.