From 6efb6b1e772934da9f3bc0d5dba5420da14ce587 Mon Sep 17 00:00:00 2001
From: Shaun Mirani <shaun.mirani@trailofbits.com>
Date: Wed, 12 Oct 2022 16:27:43 -0300
Subject: [PATCH] url: allow non-HTTPS HSTS-matching for debug builds

Closes #9728
---
 lib/http.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/http.c b/lib/http.c
index 8801f91a48..f57859e8b0 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3715,7 +3715,14 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
 #ifndef CURL_DISABLE_HSTS
   /* If enabled, the header is incoming and this is over HTTPS */
   else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
-          (conn->handler->flags & PROTOPT_SSL)) {
+          ((conn->handler->flags & PROTOPT_SSL) ||
+#ifdef CURLDEBUG
+           /* allow debug builds to circumvent the HTTPS restriction */
+           getenv("CURL_HSTS_HTTP")
+#else
+           0
+#endif
+            )) {
     CURLcode check =
       Curl_hsts_parse(data->hsts, data->state.up.hostname,
                       headp + strlen("Strict-Transport-Security:"));