In version 91, Mozilla introduced a handy new security feature in Firefox:
Firefox 91 introduces HTTPS by Default in Private Browsing
https://blog.mozilla.org/security/2021/08/10/firefox-91-introduces-https-by-default-in-private-browsing/
Sounds great! But… doing dev work on a server that supports both http and https, and trying to isolate some nginx location stanzas and rewrite directives, I NEED to be able to load the http version sometimes.
Instead, Firefox is fucking me by displaying this in the web developer tools console:
HTTPS-First Mode: Upgrading insecure request “http://bclug.ca/react/” to use “https”.
Stoopid Firefox
Again, as a default option, this is great and I support it 100%. As an option that I cannot override when I’m in full control of the server, (supposedly) the browser, and the connection between them is unacceptable.
Goddammit, Firefox. I’ve already wasted hours tweaking these location settings, and now you’ve wasted a whole bunch more time.
The specifics of my niche case is building React apps that can be served via nginx in a sub-directory, on a server that also hosts a WordPress site.
The WordPress configs want to intercept requests to JavaScript and CSS resources on https, so I’m tweaking the nginx configs to work around that. And, testing in http occasionally to ensure the site is still working.
It’s probably a bad idea for the two different sites to co-exist in a single vhost, but I don’t want to manage a bunch of extra sub-domains, plus I want the React sites to show up in an autoindex listing.
