2

I'm running Safari 14 on Big Sur and developing a Rack based web application. Safari forces SSL on my static files (images, css, javascript) so I get an error message failed to load resource. An SSL error occurred... I can't find how to disable this ; other than very old and no longer maintained (and working) gems such as tunnels. safari > preferences > confidentiality also didn't do the trick.

thiebo
  • 1,339
  • 1
  • 17
  • 37
  • "_Safari forces SSL on my static files_" - I never heard of anything like that with Safari... are you sure that your HTML links don't use `https` at the beginning of the link? It might be your HTML page that forces the static files to be loaded using HTTPS...? – Myst May 23 '21 at 20:25
  • yes I'm sure about that. Found no solution :( – thiebo May 24 '21 at 04:41
  • I constantly work on Safari with localhost. Safari never forced my static data to use TLS/SSL. I would check your HTML links to the static assets (or whatever generates these links) to see if the HTTPS is forced by the details in the link rather than Safari. – Myst May 24 '21 at 08:01
  • 1
    It could be middleware (the ForceSSL middleware) often used in Rails. – Myst May 24 '21 at 09:25
  • 1
    I am using `Rack::Protection` in my Sinatra application, that's true. But this occurs only on Safari (not Firefox, Chrome or Opera). – thiebo May 24 '21 at 12:14
  • Possibly related to HSTS, see: https://apple.stackexchange.com/questions/283670/safari-only-wants-to-connect-to-localhost-via-https and https://stackoverflow.com/questions/46394682/safari-keeps-forcing-https-on-localhost – Myst May 24 '21 at 14:06
  • Does this answer your question? [Safari keeps forcing HTTPS on localhost](https://stackoverflow.com/questions/46394682/safari-keeps-forcing-https-on-localhost) – Myst May 24 '21 at 14:08
  • no, it doesn't unfortunately. I had seen it, but no. – thiebo May 24 '21 at 16:12
  • FYI: as long as you keep using the [`Rack::Protection::StrictTransport` middleware](http://sinatrarb.com/protection/strict_transport), the HSTS header / cookie will be resent. You have to both remove the cache and stop using the middleware in development (or enable TLS/SSL for the development server). – Myst May 24 '21 at 20:54
  • Also, test if it happen when using `127.0.0.1`? – Myst May 24 '21 at 20:55

0 Answers0