As noted in bug 14100, hanza.net uses port 563 for its HTTPS communication when the user chooses to authenticate via a government-issued smartcard. The port blocking added to resolve <rdar://problem/4429701> causes the page load to fail with the mesasge: "Not allowed to use restricted network port" (WebKitErrorDomain:103) To reproduce this: 1) Visit the URL above. 2) Click "Sisene ID-kaardiga". Arguably the correct solution here would be to evangelize the bank as using port 563 (NNTPS) for HTTPS traffic is a rather odd thing to be doing in the first place.
<rdar://problem/5316601>
See Bug 14100 Comment #8.
It sounds like the bank is willing to fix this. Downgrading to P2.
This problem has returned in Safari 5
(In reply to comment #4) > This problem has returned in Safari 5 Did the steps to reproduce change? From the first comment... > To reproduce this: > 1) Visit the URL above. > 2) Click "Sisene ID-kaardiga". I don't see these on the page anymore.
AFAIK, the only substanative change to the port blocking mechanism that shipped in Safari 5 was the addition of ports 6665-6669 to the blacklist. Does the bank use one of these...?
Swedbank (formerly Hansabank) has changed their website, so that the smartcard login is now at https://id.swedbank.ee using the standard SSL port 443, so this is no longer an issue. I guess Robert has hit a similar issue with some other site.
We use port 6666. I am fine if they want to warn uses if they encounter web sites on odd ports, and then allow the user to override that warning if the user knows it is a safe site. But we use browsers on odd ports regularly. What is the issue with allowing users to access any port they wish?
(In reply to comment #6) > AFAIK, the only substanative change to the port blocking mechanism that shipped in Safari 5 was the addition of ports 6665-6669 to the blacklist. Does the bank use one of these...? *sigh* I just ran into this while setting up ZNC, an IRC proxy/bouncer. It is desireable to set it up to listen on port TCP/6667—the common port for IRC serveres—so that IRC clients can mostly use the default provided port number; but ZNC also provides a web-based administration interface on the same port (i.e. https://znchost.example.com:6667/). And, as you note, Safari 5 now cannot connect to this port. You cannot in general prevent arbitrary port numbers. Even the ports registered with IANA for a protocol are only the “well-known” port numbers; there is no general requirement that a service listen only on those ports. There are also about a million different use cases for running services on arbitrary ports; the above being a case in point, a per-user service (which means either the IP or port has to be unique) where the well-known port is not available (normal users cannot bind() to ports TCP/80,443).