Chrome adds weird HTTPS:1 header to all requests

google-chrome browser https ssl https-everywhere

I've been getting a lot of weird errors on websites that relate to HTTPS. These sites works great in FF and IE, but fail to load in Chrome. It appears that though I'm requesting an unsecured URL (http), Google Chrome adds an extra header HTTPS:1 to the request.

This causes some servers, probably some that use offload SSL and provide a shared hosting, to respond with an error since there is no SSL on the server.

I'm not being redirected to a secured page (HTTPS), rather all internal URLs in the source are being edited to https.

I've checked the connection with fiddler. This parsing is not being made on my computer and the only difference is this HTTPS:1 header.

I've created a simple PHP page that prints the $_SERVER variable. When I access it with chrome I can see: [HTTP_HTTPS] => 1. I cannot see it with FireFox.

I've tried clearing all data, unpairing chrome from my google account, and removing and installing Chrome from scratch.

Anyone have any idea about this? It is driving me crazy.


Most likely those sites that you are having problems with are running server code that incorrectly interprets the HTTPS: 1 request header. For example the Wordpress WooCommerce plugin, which is running on about 900,000 sites, has buggy code that incorrectly handles the HTTPS: 1 header. See their latest patch document here: https://woocommerce.wordpress.com/2015/07/07/woocommerce-2-3-13-security-and-maintenance-release/

There is a similar post on StackOverflow: https://stackoverflow.com/questions/31565155/wordpress-woocommerce-forces-https-when-it-shouldnt/31570584#31570584

To give more detail: Chrome has implemented the Upgrade Insecure Requests specification from the World Wide Web Consortium (W3C). Section 3.2.1 of that specification is The Upgrade-Insecure-Requests HTTP Request Header Field which states

3.2.1. The Upgrade-Insecure-Requests HTTP Request Header Field

The Upgrade-Insecure-Requests HTTP request header field sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests directive in order to make that preference as seamless as possible to provide.

This preference is represented by the following ANBF:

"Upgrade-Insecure-Requests:" *WSP "1" *WSP

Sites like those running the WooCommerce plugin in Wordpress are incorrectly rewriting all the URLs in the response as https:\\ links if the HTTPS: 1 header was set in a non-secure (http) request.

As an end user of that site, the only easy work around is to use a browser other than Chrome until those web sites are repaired


Apparently a bug in version 44, seems to be fixed in the latest update. I'm now using 44.0.2403.107 and the problem seems to gone away.

More information here: http://www.zdnet.com/article/brand-new-chrome-44-release-added-a-bug/


its more than just wocommerce, its all of wordpress that is going haywire causing bad css, images and etc.

add this to near the top of your wp-config.php to remove it

if($_SERVER['HTTP_HTTPS'] && !$_SERVER['HTTPS'])
{    unset($_SERVER['HTTP_HTTPS']);
}

You may try this, to unset the HTTP_HTTPS header.

if(!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
    unset($_SERVER['HTTP_HTTPS']);
}

Related

Getting the list of command history using Clink
RPM build error: empty %files file debugfiles.list
Bluetooth handsfree better quality
How to install SQL Server 2016 on Windows 7
When installing Windows 7, CDBOOT error 5 appears: Cannot boot from CD; why?
How do I change the default sort order on Windows Explorer and the File Dialogs
Batch remove comments from PDF files
Remove port aliases in iptables
Any point in installing both 32 and 64 bit versions of Photoshop?
How can I remove items from the "Look in:" combo box in Visual Studio's "Find and Replace" dialog?
Can I "export" an alias to the SHELL that invoked a script?
Why is setuid ignored on directories?