Dear Aymeirc, (public reply for the list)
The similar discussion on this list last month about mixed-content websocket connections had the subject "Mixed-content XHR & Websockets". I have an application which is similar to yours, where the JS does its own crypto using a combination of WebCrypto and emscripten-compiled OpenSSL. (The peers are dynamic and don't have globally-known certificates that a browser's chain-of-trust recognises for TLS, and the webapp has to be served over HTTPS to be secure.) So, we both have a legitimate use of plain (mixed) ws from an HTTPS context. I won't repeat the arguments for mixed-content blocking in Firefox, which is well-documented - Tanvi's blog post is a good place to start (https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/) Last month, I proposed a new CORS-style header that would solve our problem in a generic way. I have a new solution this week though, which is less generic and feels a bit bad, but should hopefully make everyone happy. Why can't we just whitelist known (or declared secure) WebSocket subprotocols? The idea is simple: a WebSocket connection which is actually encrypted isn't really mixed at all because of the protocol being used. If a 'secure' subprotocol is negotiated, then we're OK to let it through in a mixed context. I have a spec for this up on github: http://nwilson.github.io/websockets-mixed-context/. I'll post a Firefox patch implementing this soon. I think the next step is going to the appropriate WHATWG list and pestering there? Basically, Firefox is the odd browser out (Chrome doesn't block mixed WebSockets), and Firefox drove the addition of the clause to the spec I'm trying to get tweaked. Is there anyone particularly I should be looking for in Mozilla to review this proposal? Pragmatically, I think it's acceptably small and opens up some cool new webapps that aren't currently possible in Fx. Best, Nicholas ----- Nicholas Wilson: nicho...@nicholaswilson.me.uk Site and blog: www.nicholaswilson.me.uk 28 St Stephens Place, CB3 0JE 07845 182898 On 23 September 2013 09:21, Aymeric Vitte <vitteayme...@gmail.com> wrote: > Please see: https://bugzilla.mozilla.org/show_bug.cgi?id=917829 > > I think I have detailed already in the bug report why it does not necessary > make sense to forbid ws from a https page, for your review and comments. > > Regards, > > Aymeric > > -- > jCore > Email : avi...@jcore.fr > Peersm : http://www.peersm.com > iAnonym : http://www.ianonym.com > node-Tor : https://www.github.com/Ayms/node-Tor > GitHub : https://www.github.com/Ayms > Web : www.jcore.fr > Extract Widget Mobile : www.extractwidget.com > BlimpMe! : www.blimpme.com > > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
