Just like HSTS I can't turn this off and it leaves a bad taste in my mouth. Were originally I considered firebox to be a browser for power users, now I'm not too sure any more.
HSTS allows a site owner to set a security policy for access their own servers. There's no downside to using it, it doesn't affect anyone else, and in any case if you choose to use a service you're subject to their security policies. The fundamental choice is unaffected: use their service or go somewhere else.
In contrast, this is more controversial because it involves telling the user that they cannot do something they want to do. I think there's a strong argument that this is a pragmatic choice in the current security environment but it really does undercut user choice unless you reach the point of saying that the users who want to do this should know how to compile Mozilla.
You can't imagine how frustrated I was when I found out that I couldn't use my proxy any more, because some guy somewhere decided that it'd bee too hard to hard to add the following lines to firefox:
if (user_doesn't_want_hsts) { dont_do_hsts(); }
I can't even bend my head around how someone thought it was acceptable to totally take this option away from people. I understand that such an option should be hidden deep inside a config somewhere so as to prevent a normal user from compromising his/her own security. But please don't presume that you did everyone a service by taking this option away. I can't express how angry and frustrated I become when I even think about it.
As for your 'no downside', as I said, perhaps not for normal users. But I most definitively am not. And I probably need to jump though a lot of hoops to tear this "feature" out of my own firefox build.
You need to read more about how HSTS actually works:
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
It does nothing that a site could not do by having their webserver redirect all HTTP requests to HTTPS with the exception that it prevents the browser to never make an insecure request to prevent a man-in-the-middle attacker from tampering with it.
Of particular interest, note that it does not prevent you from using a proxy if you choose to configure one. The only thing it prevents is a transparent proxy intercepting all traffic on the network, which is a class of MITM attack, and a frequent source of security or privacy issues.
If you need to use a tampering SSL proxy you would, of course, need to configure it to generate certificates using a CA which you trust, which is a well-documented feature and something which has already been a requirement for many, many years.
> As for your 'no downside', as I said, perhaps not for normal users. But I most definitively am not. And I probably need to jump though a lot of hoops to tear this "feature" out of my own firefox build.
Or learn how to configure your proxy so that it works with the security mechanism rather than unnecessarily exposing you to attacks. Your argument is a perfect example of why this is a good move: most people will simply hit whatever button causes the page to load without thinking through the security implications.