Example: in private mode, enter publix.com in the address bar
Result: Firefox queries http://publix.com instead of https://publix.com
It is a little confusing because there is an https-first feature without a UI and an HTTPS Only feature with a UI. To confirm that https-first is enabled for private windows, you can check these preferences:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
(2) In the search box in the page, type or paste dom.security.https_first and pause while the list is filtered
By default:
- dom.security.https_first => false
- dom.security.https_first_pbm => true (for private windows)
Testing in Firefox 93.0 with the default settings, if I open the Network Monitor before submitting an address, for http://example.com the Network Monitor shows https://example.com was requested in a private window. I don’t see a different behavior with the http://publix.com site. However, perhaps there is a DNS-related or other explanation for differences among Firefox installations??
Thank you for your answer. Attached is a screenshot of the Network Monitor after requesting publix.com.
Normally, requesting http://publix.com in a regular window returns a 301 redirect to https://www.publix.com so what you are seeing (403 forbidden) doesn’t match any normal Firefox behavior. Could you test bypassing your add-ons by restarting in Troubleshoot Mode? See: https://support.mozilla.org/kb/diagnose-firefox-issues-using-troubleshoot-mode
Attached is the same screenshot in Troubleshoot Mode (but on a higher-resolution screen). It looks the same. Maybe the problem comes from some kind of geoblocking on behalf of Publix (I’m not in the US). I don’t want to take more of your time…
I can’t reproduce the Publix problem, so perhaps you are right that there is a block?
An example came up on Reddit yesterday of a site that has a redirect for the HTTPS request that it does not have for the HTTP request, so HTTPS First takes Firefox to a dead end:
For Publix, I get this in the Browser Console (sitting in California):
- [Warning] HTTPS-First Mode: Upgrading insecure request “http://publix.com/” to use “https”.
- [Request] GET https://publix.com/ => 301 Redirect to https://www.publix.com/
- [Request] GET https://www.publix.com/ => 200 OK