Google Chrome Forces HTTPS

Question

I am developing a Rails application that uses SSL connection. I am currently using third party resources that are js and css files for implementing a map (OpenStreetMap) . I have already tried to import these resources (js and css) into my application, but the javascript code tries to access an external WMS via HTTP.

The problem is that Google Chrome is blocking access to third-party resources from HTTP when the application is in HTTPS.

So I disabled SSL on a certain pages of the application and tried to force the HTTP or HTTPS the way I desire.

Following this blog: http://www.simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/ and it works.

But when I force the HTTP protocol to the page where these resources will be used using Google Chrome, it forces HTTPS connection causing infinite loop.

If I clear the Chrome cache (that have already accessed the same page with HTTPS) in order access it via HTTP it works. But if I have accessed a HTTPS page and try to access via HTTP, Chrome forces the HTTPS connection resulting in an infinite loop.

The question is: Is there something I can set in the request that causes Chrome to accept the connection?

Regards

Answer 1

I've been doing some research on this, and it turns out that turning on force_ssl = true on Rails 3 causes the app to send an HSTS header. There's a bit of information about it here: How to disable HTTP Strict Transport Security?

Essentially, the HSTS header tells Chrome (and Firefox) to access your site only through HTTPS for a specific amount of time.

So... the answer I have for you now is that you can clear your own HSTS setting by going to about:net-internals within your Chrome browser and removing the HSTS state.

I think the answers here can help you: Rails: activating SSL support gets Chrome confused