[tor-commits] [websocket/master] Use plain http (not https) in embed links.

dcf at torproject.org dcf at torproject.org
Thu Oct 3 16:36:10 UTC 2013 

commit f4440e6e8ea035e867a45846cc67bac5e5df95c2
Author: David Fifield <david at bamsoftware.com>
Date:   Tue Jun 5 22:10:18 2012 -0700

    Use plain http (not https) in embed links.
    
    Using https would be preferable, which is why I changed this to explicit
    https in 836b7a27. But I learned that Firefox doesn't allow making a
    plaintext (ws) WebSocket connection in an https page; you have to use
    wss instead, for the same reason you get mixed-content warnings.
    
    https://bugzilla.mozilla.org/show_bug.cgi?id=662692
    https://developer.mozilla.org/en/Firefox_8_for_developers#WebSockets
    https://developer.mozilla.org/en/WebSockets/Writing_WebSocket_client_applications#Security_considerations
    
    I think that we can't use wss sockets because they would require each
    client to have a CA cert.
    
    In the iframe link, I've left the protocol implicit, so it will use
    https if the page itself is https and http otherwise. This is to avoid
    using mixed content, but the badge won't work if the browser disallows
    the plaintext WebSocket.
    
    The about:config setting that controls this is
    network.websocket.allowInsecureFromHTTPS.
---
 doc/websocket-transport.txt |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/websocket-transport.txt b/doc/websocket-transport.txt
index ad1eef5..cf46301 100644
--- a/doc/websocket-transport.txt
+++ b/doc/websocket-transport.txt
@@ -103,7 +103,7 @@ Examples
 
 > GET / HTTP/1.1\r\n
 > Host: 192.0.2.1:80\r\n
-> Origin: https://example.com\r\n
+> Origin: http://example.com\r\n
 > Sec-WebSocket-Version: 13\r\n
 > Sec-WebSocket-Key: mzo2xSF9N8VUxuefqO0RSw==\r\n
 > Connection: Upgrade\r\n
@@ -121,7 +121,7 @@ Examples
 
 > GET / HTTP/1.1\r\n
 > Host: 192.0.2.1:80\r\n
-> Origin: https://example.com\r\n
+> Origin: http://example.com\r\n
 > Sec-WebSocket-Version: 13\r\n
 > Sec-WebSocket-Protocol: base64\r\n
 > Sec-WebSocket-Key: k5Ybhw0XBDeBfmda1J9ooQ==\r\n

More information about the tor-commits mailing list