Type xkcd.com
in location bar, hit return -> https://xkcd.com
.
But if I type http://xkcd.com
instead, it does not change to HTTPS.
I've checked both URLs, and they're not using HSTS headers. I'm not using HTTPS Everywhere. (And in either case, I wouldn't have expected it to be so easily bypassed). I don't have the HTTPS site bookmarked – in fact I have the HTTP url bookmarked.
Iceweasel (Firefox-ish) 16.0.2. (I guess my updates are probably slightly screwed up).
How does this work? Do other browsers do it as well?
Best Answer
According to After updating to 14.0.1 Firefox will force https on websites. How do I fix?, this is due to auto-completion:
If you've previously visited the HTTPS version of the page, you will see this when typing "xkcd" into the address bar:
When hitting Enter at this stage, you will land on
https://xkcd.com
, just like you're experiencing.You can also highlight the
https://xkcd.com
in the dropdown and hit Del. The URL will then be removed and will land on the HTTP version the next time.