Chrome adds weird HTTPS:1 header to all requests

Most likely those sites that you are having problems with are running server code that incorrectly interprets the HTTPS: 1 request header. For example the Wordpress WooCommerce plugin, which is running on about 900,000 sites, has buggy code that incorrectly handles the HTTPS: 1 header. See their latest patch document here: https://woocommerce.wordpress.com/2015/07/07/woocommerce-2-3-13-security-and-maintenance-release/

There is a similar post on StackOverflow: https://stackoverflow.com/questions/31565155/wordpress-woocommerce-forces-https-when-it-shouldnt/31570584#31570584

To give more detail: Chrome has implemented the Upgrade Insecure Requests specification from the World Wide Web Consortium (W3C). Section 3.2.1 of that specification is The Upgrade-Insecure-Requests HTTP Request Header Field which states

3.2.1. The Upgrade-Insecure-Requests HTTP Request Header Field

The Upgrade-Insecure-Requests HTTP request header field sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests directive in order to make that preference as seamless as possible to provide.

This preference is represented by the following ANBF:

"Upgrade-Insecure-Requests:" *WSP "1" *WSP

Sites like those running the WooCommerce plugin in Wordpress are incorrectly rewriting all the URLs in the response as https:\\ links if the HTTPS: 1 header was set in a non-secure (http) request.

As an end user of that site, the only easy work around is to use a browser other than Chrome until those web sites are repaired


Apparently a bug in version 44, seems to be fixed in the latest update. I'm now using 44.0.2403.107 and the problem seems to gone away.

More information here: http://www.zdnet.com/article/brand-new-chrome-44-release-added-a-bug/


its more than just wocommerce, its all of wordpress that is going haywire causing bad css, images and etc.

add this to near the top of your wp-config.php to remove it

if($_SERVER['HTTP_HTTPS'] && !$_SERVER['HTTPS'])
{    unset($_SERVER['HTTP_HTTPS']);
}