If You Don't Make Your Cart Stay In Https You Now Get A Redirect Error With Firefox

We have the following item NOT selected.

"Keep HTTPS connection once a secure page is visited::

Which meant if a customer was in https and went back to the home page it would take them back to the normal http. Well, we just noticed today that on Firefox 31 if you have it turned off you will get the following error from Firefox:

“Firefox prevented this page from auto redirecting to another page.”

So we ended up turning it on to always stay in https or on the secure portion of the site even if they leave their shopping cart, etc.

We have repeated this on every pc in our office but they are all Windows 7. Has anyone else ran in to this issue?

yup same problem here… try it on my site…create a bug ticket to CS ASAP.

FF 23 (I think that's the version) has now implemented mixed content rules. So going from secure to insecure is not allowed unless the user selects to allow it for that page (click the shield in the address bar for the options).

However, I'm not sure I know why it thinks it's an automatic redirect. Suggest you look at the actual https page for the link you are using and see if it uses the https or http protocol. If it has http then it would be considered “mixed content” and it it's https then the browser will think that it's asking for an https page but it's being served with an http page (again, mixed content).

This is brand new in FF and may still have some “issues” with how it is implemented. More and more of these vendors are trying to market themselves by “saving you from yourself” and it is breaking some existing methods.

Firefox is at version 31. Mixed content is when the site is serving page elements over http as well as over https. This has been blocked in many browsers for some time. In Firefox this was introduced in April 2013. Other browsers start blocking mixed content years ago.

I think that what is going on may be something different. Firefox has the following setting turned on by default:

Firefox button > Options > Options (or Tools > Options) > Advanced > General, “Warn me when websites try to redirect or reload the page”

This is also an ancient setting.

I see in your store that its only happening when the user is forwarded from https to http, but not the other way around.

There must be something new going on with either CSC4.2 in the way that pages are redirected from https to http or with FF31 in the way it sees these https to http redirects.

If the browser is requesting an https page and it gets an http page in response, then it should block the redirect. Otherwise someone who was hacked and went to https://bofa.com and was redirected to http://bofe.com could enter their account info on a Phishing site. I think having a link on an https page that goes to a non-https site is fine (or should be) but it might be qualifying it based on the primary domain name or the organizational name in the certificate.

So I guess my question is does the https page have the link in the logo set to http or https? If https and it's getting an http in response, then it should generate the alert. But if it's http, then it shouldn't. If the “keep https setting” is NOT set, then the link in for the logo should be http, not https and if it is NOT set then that would be a bug.

Its not just if you click on the logo. If you click on 'continue shopping' then the same happens. But you are right that all links on the page are https, including the links that lead to http. The user is redirected to http after clicking on the https links. This indeed appears like suspect of phishing behaviour and CS-Cart should not be doing this.

I was using the logo just as an example.

If the URL's being generated for non-https locations (based on settings) are https, then that is a bug that should be addressed.

I see this also happens if you install an addon.

That's because almost everything uses fn_url() which is where the actual path needs to be verified as to whether it should be http or https based on its' context. I don't think it will be a simple problem to address. Lots of variables.

Sorry, I didn’t get any updates on this and didn’t realize anyone was responding.

If someone wants to post it as a bug in bugtracker they can go for it. Just post a link in this feed and I’ll say we have the same issue. I am on a fast from posting bugs due to health issues. :?

I'm tired of reporting bugs that they don't agree with and ending up in endless exchanges that lead to nowhere. Would really help if they'd just put on the merchant hat and look at things from that perspective rather than (that's not the way we did it type of approach).

So I too now avoid posting bugs since I'm trying to keep my ulcers calm…

This is one of those where they just won't get it!

So who out there has the stomach to tell CS about this bug? lol

Its in there: http://forum.cs-cart.com/tracker/issue-5202-cart-https-to-http-is-not-working-421/

I doubt they have even tried firefox 31 when they say they cant reproduce it.

On a V2.2.5 site using FF 31.0, having the “stay in https” unchecked behaves like this:[list]

[]Homepage and product pages (non-https) is fine.

]Add product to cart and go to checkout which switches to https


[]Link in logo is https://site.com on checkout page (think it should be http)

]Clicking logo takes me to page http://site.com

[*]No exception from browser


I don't have access to a V4 ssl site to verify any differences…

Good point Tony. I am not having this problem on my other sites that are still on 2.2.5. So this does appear to be an issue with version 4. For now if a customer goes to the SSL then they are going to stay on it for the sites that use CS4.

I guess I'd be interested in the differences.

Can you do the test above on a V4 site that has ssl. The exact steps/config.

Be interested if we've missed something in how to recreate or if there is truly a documented difference between V4 and older versions.

Does it really matter anymore. CS-Cart doesn't appear to care and instead feels we should contact our customers and tell them to change a setting in their browser. That will go over well. As if the customer will actually stick around for us to be able to tell them that! I'm sorry, but I am so glad we are looking at other shopping carts. It doesn't make any difference how many bells and whistles CS-Cart has if they can't keep the basic core working or the basic working without screwing up our links and more.

Well, it would probably help the rest of us if you could confirm that on your V4 site, configured as I stated above, that the behavior still generates the error. It might be that I missed the point and was really not reproducing the problem you were having.

Anyone with Firefox 31 installed can verify this bug on csc4. I could verify the bug on 5 different websites within a few minutes by just going to the live stores showcased on cs-cart.com.

I have posted this call for bug tracking improvement here. I hope that CS-Cart management will read it and take it to heart. CS-Cart has so much potential. Its sad to see long time customers move away out of frustration.

Bugtracker responses give new meaning to “lip service”