Chrome adds weird HTTPS:1 header to all requests
I've been getting a lot of weird errors on websites that relate to HTTPS. These sites works great in FF and IE, but fail to load in Chrome. It appears that though I'm requesting an unsecured URL (http), Google Chrome adds an extra header HTTPS:1
to the request.
This causes some servers, probably some that use offload SSL and provide a shared hosting, to respond with an error since there is no SSL on the server.
I'm not being redirected to a secured page (HTTPS), rather all internal URLs in the source are being edited to https.
I've checked the connection with fiddler. This parsing is not being made on my computer and the only difference is this HTTPS:1
header.
I've created a simple PHP page that prints the $_SERVER
variable. When I access it with chrome I can see: [HTTP_HTTPS] => 1
. I cannot see it with FireFox.
I've tried clearing all data, unpairing chrome from my google account, and removing and installing Chrome from scratch.
Anyone have any idea about this? It is driving me crazy.
Most likely those sites that you are having problems with are running server code that incorrectly interprets the HTTPS: 1
request header. For example the Wordpress WooCommerce plugin, which is running on about 900,000 sites, has buggy code that incorrectly handles the HTTPS: 1
header. See their latest patch document here: https://woocommerce.wordpress.com/2015/07/07/woocommerce-2-3-13-security-and-maintenance-release/
There is a similar post on StackOverflow: https://stackoverflow.com/questions/31565155/wordpress-woocommerce-forces-https-when-it-shouldnt/31570584#31570584
To give more detail: Chrome has implemented the Upgrade Insecure Requests specification from the World Wide Web Consortium (W3C). Section 3.2.1 of that specification is The Upgrade-Insecure-Requests HTTP Request Header Field which states
3.2.1. The Upgrade-Insecure-Requests HTTP Request Header Field
The Upgrade-Insecure-Requests HTTP request header field sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests directive in order to make that preference as seamless as possible to provide.
This preference is represented by the following ANBF:
"Upgrade-Insecure-Requests:" *WSP "1" *WSP
Sites like those running the WooCommerce plugin in Wordpress are incorrectly rewriting all the URLs in the response as https:\\
links if the HTTPS: 1
header was set in a non-secure (http) request.
As an end user of that site, the only easy work around is to use a browser other than Chrome until those web sites are repaired
Apparently a bug in version 44, seems to be fixed in the latest update. I'm now using 44.0.2403.107 and the problem seems to gone away.
More information here: http://www.zdnet.com/article/brand-new-chrome-44-release-added-a-bug/
its more than just wocommerce, its all of wordpress that is going haywire causing bad css, images and etc.
add this to near the top of your wp-config.php to remove it
if($_SERVER['HTTP_HTTPS'] && !$_SERVER['HTTPS'])
{ unset($_SERVER['HTTP_HTTPS']);
}
You may try this, to unset the HTTP_HTTPS
header.
if(!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
unset($_SERVER['HTTP_HTTPS']);
}