[jeroenhd]

Firefox sticks to the spec, Chrome makes you type out base64 manually to ignore the spec.

The TLS errors that aren't unbypassible by specification (i.e. HSTS, see https://datatracker.ietf.org/doc/html/rfc6797) can be bypassed on Firefox just fine. It's only the ones where the spec says bypassing the error shouldn't be possible where Firefox takes a hard stance.

Chrome had to alter their bypass string several times because vendors documented the override rather than fixing their insecure crapware. It makes total sense to me that Firefox does the same.

[Dylan16807]

Being a user agent is more important than any spec.

[sugarpimpdorsey]

My installation of Firefox defaults to plain HTTP when I type a URL into the address bar. No amount of about:config fiddling seems to turn it off.

It is rubbish software, the developers routinely ignore fixing actual bugs in favor of new features, and I wish we had a better alternative that wasn't married to Google.

[seanhunter]

This works fine for me, so I don’t know what’s causing it to be different for you. The key in about:config is dom.security.https_only_mode and I have that set to “true”.

If you want to set this without using about:config you can go to Settings and search “https” you’ll see “https-only Mode” there and you can turn it on for all windows, private windows oonly or none. There is also an exception list should you want that.

[giingyui]

Software should do what I want it to, not stick to a spec.

[zzo38computer]

I agree that it should do what you entered. However, it would make sense for the default settings to match the specification, unless the specification is no good (which, in the case of HSTS (and many other things in WWW), I do think the specification is no good).

[giancarlostoro]

Ah yes, software should leak everyone else's credentials to me because I want it to, forget keeping their information safe and secure, forget the GDRP.

[yjftsjthsd-h]

Nobody said that. If you tell your software on your machine to leak your credentials, then yes it should. And since it's your data and you're the one telling it to do it, I'm reasonably confident that gdpr says that's completely above board. (Like, I'm no lawyer so take with appropriate grain of salt, but it's generally described as saying that you have to have user permission to do things with data, which the user agent acting on your orders very much does have.)