Bug 62253
| Summary: | Do not allow mixed-content WebSockets | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Brian Smith <bsmith> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | abarth, ap, nicholas |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Brian Smith
See https://bugzilla.mozilla.org/show_bug.cgi?id=662692
When a script attempts to open a WebSocket to a non-TLS-protected server ("ws://"), the attempt should fail if the document was delivered over HTTPS.
Since there are basically no existing WebSockets servers, there is no compatibility reason to allow ws:// (as opposed to wss://) WebSockets from an https:// webpage. We (Mozilla) would like to move to a stronger policy prohibiting all mixed content, and prohibiting https://+ws:// from the start will help prevent WebSockets from adding to the problem.
In addition to addressing this in code, we should make sure the W3C spec notes this.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Nicholas Wilson
This bug is duplicated by #89068.
Alexey Proskuryakov
Reverse duping to a bug with more discussion.
*** This bug has been marked as a duplicate of bug 89068 ***