Bug 62253 - Do not allow mixed-content WebSockets
Summary: Do not allow mixed-content WebSockets
Status: RESOLVED DUPLICATE of bug 89068
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-07 17:42 PDT by Brian Smith
Modified: 2013-07-30 08:33 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Smith 2011-06-07 17:42:57 PDT 
See https://bugzilla.mozilla.org/show_bug.cgi?id=662692

When a script attempts to open a WebSocket to a non-TLS-protected server ("ws://"), the attempt should fail if the document was delivered over HTTPS.

Since there are basically no existing WebSockets servers, there is no compatibility reason to allow ws:// (as opposed to wss://) WebSockets from an https:// webpage. We (Mozilla) would like to move to a stronger policy prohibiting all mixed content, and prohibiting https://+ws:// from the start will help prevent WebSockets from adding to the problem.

In addition to addressing this in code, we should make sure the W3C spec notes this.
Comment 1 Nicholas Wilson 2013-07-30 07:27:48 PDT 
This bug is duplicated by #89068.
Comment 2 Alexey Proskuryakov 2013-07-30 08:33:50 PDT 
Reverse duping to a bug with more discussion.

*** This bug has been marked as a duplicate of bug 89068 ***