Bug 492145

Summary: networkcheck.kde.org has HSTS enabled, which breaks captive portals if you ever visit it with HTTPS
Product: [Websites] www.kde.org Reporter: forestbeasts <forestbeasts>
Component: generalAssignee: kde-www mailing-list <kde-www>
Status: RESOLVED FIXED    
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: All   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description forestbeasts 2024-08-24 20:46:23 UTC 
SUMMARY
networkcheck.kde.org has HSTS enabled, so if you ever visit it with HTTPS, your browser will only try to load it with HTTPS, which breaks captive portals.

STEPS TO REPRODUCE
1. Visit https://networkcheck.kde.org.
2. Join a captive portaled wifi network (coffeeshop, etc.).

OBSERVED RESULT
https://networkcheck.kde.org has a certificate error.

EXPECTED RESULT
http://networkcheck.kde.org gets redirected by the captive portal to its own login page.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora Linux 40
KDE Plasma Version: 6.1.4
KDE Frameworks Version: 6.5.0
Qt Version: 6.7.2

ADDITIONAL INFORMATION
This should be an easy fix – just turn off HSTS on networkcheck.kde.org. (This won't help people who've already visited it with HTTPS, but eventually the HSTS will expire and they'll be fine.)

You can tell HSTS is enabled by running `curl -v http://networkcheck.kde.org` and looking for the Strict-Transport-Security header.
Comment 1 Ben Cooksley 2024-08-24 20:51:40 UTC 
Thanks for advising - this was due to an configuration oversight and wasn't intended - we actually had configuration to remove this but it had no effect due to the wrong set of header tables being changed. That has now been corrected.
Comment 2 forestbeasts 2024-09-02 04:11:15 UTC 
Oh perfect, thanks!