62253 – Do not allow mixed-content WebSockets

RESOLVED DUPLICATE of bug 8906862253

Do not allow mixed-content WebSockets

https://bugs.webkit.org/show_bug.cgi?id=62253

Summary Do not allow mixed-content WebSockets

Brian Smith

Reported 2011-06-07 17:42:57 PDT

See https://bugzilla.mozilla.org/show_bug.cgi?id=662692 When a script attempts to open a WebSocket to a non-TLS-protected server ("ws://"), the attempt should fail if the document was delivered over HTTPS. Since there are basically no existing WebSockets servers, there is no compatibility reason to allow ws:// (as opposed to wss://) WebSockets from an https:// webpage. We (Mozilla) would like to move to a stronger policy prohibiting all mixed content, and prohibiting https://+ws:// from the start will help prevent WebSockets from adding to the problem. In addition to addressing this in code, we should make sure the W3C spec notes this.

Attachments
Add attachment proposed patch, testcase, etc.

Nicholas Wilson

Comment 1 2013-07-30 07:27:48 PDT

This bug is duplicated by #89068.

Alexey Proskuryakov

Comment 2 2013-07-30 08:33:50 PDT

Reverse duping to a bug with more discussion. *** This bug has been marked as a duplicate of bug 89068 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 89068

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2011-06-07 17:42 PDT

Modified

2013-07-30 08:33 PDT History

CC List

3 users Show

URL

Keywords

Depends on

Blocks