Firefox Broken on Local Domains (Shallow Thoughts)

Akkana's Musings on Open Source Computing and Technology, Science, and Nature.

Fri, 06 Aug 2021

Firefox Broken on Local Domains

I maintain quite a few domains, both domains I own and domains belonging to various nonprofits I belong to. For testing these websites, I make virtual domains in apache, choosing an alias for each site. For instance, for the LWVNM website, the apache site file has

<VirtualHost *:80>
    ServerName lwvlocal
and my host table, /etc/hosts, has    localhost lwvlocal
(The localhost line in my host table has entries for all the various virtual hosts I use, not just this one).

That all used to work fine. If I wanted to test a new page on the LWVNM website, I'd go to Firefox's urlbar and type something like lwvlocal/newpage.html and it would show me the new page, which I could work on until it was time to push it to the web server.

A month or so ago, a new update to Firefox broke that. Now, if I type lwvlocal/newpage.html in the urlbar, it goes to a google search:

But if I added the http part, explicitly typing http://lwvlocal/newpage.html, it worked just fine.

Localhost still works even without the http:// : localhost/newpage.html shows me the appropriate page from apache's virtual host. But none of the other host table entries for localhost work that way.

What Changed, and When?

My speculation: Firefox has begun implementing something like "https everywhere", automatically adding https:// instead of http:// in front of anything the user types that doesn't already have a URL scheme. Which of course doesn't work for local URLs, which are served with plain http.

I'm running Firefox 90.0. The 90.0 Release Notes doesn't mention anything that looked related. 90.0 does add the HTTPS-only mode, but I checked my preferences, and Don't enable HTTPS-Only Mode was set (for some reason that's in Privacy and Security, not Network Settings).

I also checked the release notes for Firefox 89.0, 88.0 and 87.0, with no joy. That took me back to March and I'm quite sure I haven't been seeing this problem for that long.

I wasn't having much luck with web searches, but a kind soul on #linux IRC pointed me to the Firefox 84 Developer release notes, which says:

Firefox now ensures that localhost URLs -- such as http://localhost/ and http://dev.localhost/ -- refer to the local host's loopback interface (e.g. As a result, resources loaded from localhost are now assumed to have been delivered securely (see Secure contexts), and also will not be treated as mixed content (bug 1220810, bug 1488740).

The page linked for Secure contexts says:

Note: Firefox 84 and later support http://localhost and http://*.localhost URLs as trustworthy origins (earlier versions did not, because localhost was not guaranteed to map to a local/loopback address).

So, Firefox Now Insists on domain.localhost

What this seems to mean is that as of Firefox 84 Developer (plus whenever that got rolled into regular non-developer Firefox: probably 89 or 90 but it's not in any of those versions' release notes), if you want to use a local virtual host, you either have to type the http:// every time, or else rename all your local virtual web hosts to domain.localhost. Otherwise Firefox won't see them as local hosts and will redirect to a search engine instead of loading the page from the local web server.

(Note: don't think you can use .local instead of .localhost. .local is reserved for use with MDNS/Avahi/Zeroconf/Bonjour/The Service With Many Names.)

Typing .localhost in addition to the domain name every time is actually more typing than adding the http://. On the other hand, Firefox will probably auto-fill the .localhost part, while it does not autofill the http:// part.

So I'm going to try renaming all my vhosts to add .local (which has to be done in /etc/apache2/sites-available/* as well as in /etc/hosts), and see how that goes. Apache lets you use multiple names:

<VirtualHost *:80>
     ServerName lwvlocal
     ServerAlias lwvnm.localhost

I wish there was a way to list explicit local domains that I want Firefox to accept. Or at least to get it to accept some extension shorter than .localhost, like .lh. But I haven't been able to find any hints of a way to customize this Firefox misfeature.

Things that Didn't Work

Before my kind helper pointed me to that 84 Developer release notes page, I found several discussions advocating changing the pref network.stricttransportsecurity.preloadlist. That didn't help at all with the localhost/http problem.

I also found a few pages suggesting setting network.dns.native-is-localhost to True. Don't do this -- it made Firefox give an "Unable to connect" screen for every external URL I tried.

Cleaning Up about:config: What the Heck is Normandy?

I had tried quite a few possible workarounds before I started hitting that "Unable to connect" screen. Fortunately, about:config has a checkbox for "Show only modified preferences" and I was able to wade through the long list looking for prefs I knew I'd changed today.

The list was full of strange and interesting stuff. What is doh-rollout.balrog-migration-done? And what were those 17 app.normandy prefs?

It turns out Normandy is a Firefox feature that lets Mozilla collect telemetry and push preference changes and new add-ons without asking you first. It's supposedly related to Studies, e.g. the Privacy and Security preference "Allow Firefox to install and run studies". (You can check whether you have studies enabled by visiting about:studies.)

Normandy is also related to Telemetry, "Allow Firefox to send technical and interaction data to Mozilla". But even though I had both studies and telemetry disabled, I still had 17 app.normandy prefs set.

What are all those preferences? They're apparently something Firefox sets without asking, and gives no easy way to disable. I still haven't found anything explaining them. I toggled off app.normandy.enabled for now, and will try removing the other prefs the next time I quit Firefox. It'll be interesting to see whether they stay removed.

Tags: ,
[ 13:34 Aug 06, 2021    More tech/web | permalink to this entry | ]

Comments via Disqus:

blog comments powered by Disqus