Disable HTTPS

[richhauck]

Because the SSL certificate is self-signed, I've found that Firefox on Mac (I'm running Developer Edition 60.0b4 on macOS 10.13.3) won't permit viewing of the Pilothouse site.

[philipnewcomer]

You can add an exception to Firefox so that it will permit the Pilothouse self-signed cert. Just click on Advanced > Add Exception > Confirm Security Exception from the error page. Firefox does not use the macOS certificate store, so the exception that Pilothouse adds at the operating system level isn't recognized by Firefox.

[richhauck]

Can't do that. Here's what Firefox says:

'This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox Developer Edition may only connect to it securely. As a result, it is not possible to add an exception for this certificate.'

HSTS is not being enforced in my site code.

[philipnewcomer]

Ah, it looks like I was testing on an older version of Firefox Developer Edition which still left me add an exception for self-signed certificates on sites where HSTS is enabled. I hadn't started Firefox Developer Edition in a while. The current version of FFDE does not allow this.

Exception or not, it's not possible to disable HTTPS for .dev sites, which you originally asked about. That's the whole point of HSTS: the site can only ever be reached over a secure connection. I don't agree with the browser vendor's decisions to enable HSTS for the .dev TLD, but I can't do much about it. This is enforced at the browser level; Pilothouse will still respond to both HTTP and HTTPS requests regardless of what the browser allows you to do.

If you have to use Firefox on your local, you'll need to use a domain name ending in something other than .dev.

[philipnewcomer]

Related: #94