add network.websocket.allowInsecureFromHTTPS as devtool option
Categories
(DevTools :: Netmonitor, enhancement, P3)
Tracking
(Not tracked)
People
(Reporter: post, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170826053331 Steps to reproduce: connect to unsecure websocket from secure page with devtools open. Actual results: security warning Expected results: connect
Please add an option similar to "network.websocket.allowInsecureFromHTTPS" to be used when in dev mode / devtools.
Updated•7 years ago
|
Updated•7 years ago
|
Comment 2•6 years ago
|
||
I think we need the Options drop-down menu in the Network panel first. Honza
Updated•6 years ago
|
Comment 3•4 years ago
|
||
Harald do we want this now when we have the Settings menu?
Honza
Comment 4•4 years ago
|
||
This would be applied to all tabs and even without DevTools open; so we probably want to be more considerate (as with other things in bug 1569964).
devtools.serviceWorkers.testing.enabled
and devtools.cache.disabled
all seem to map back to browser-context and not some browser-wide preference: https://searchfox.org/mozilla-central/rev/41c3ea3ee8eab9ce7b82932257cb80b703cbba67/devtools/shared/specs/targets/browsing-context.js#47
Comment 5•4 years ago
|
||
It looks like we have 2 related prefs in play here, network.websocket.allowInsecureFromHTTPS
(controlled by necko) but also security.mixed_content.block_active_content
(controlled by security).
Johann, can you clarify if allow insecure websockets would part of a developer pref to circumvent 1) secure context, 2) mixed content, 3) generally disabling web security or 4) something different?
Comment 6•4 years ago
|
||
That's a good question. It could be part of any of them 🙃. It depends on which you want to expose?
What I don't understand: there is a possibility to disable mixed content protection per site, though we were hoping remove that eventually. In the identity popup, click on the "Connection Secure" sub-item and disable protection. Does this mechanism not affect websockets? If not, then maybe we should fix that?
Relatedly, maybe we could move this entire mechanism to disable mixed content protection to devtools and remove it from our identity UI?
Comment 7•4 years ago
|
||
- It seems dubious that mixed content WebSocket and blockable mixed content are controlled differently. They ought to be controlled by the same flag.
- I was hoping that we could consider blockable mixed content an error and not have to go further than to explain the error to web developers. I.e., remove all UI and configuration around it.
- Failing that, letting developer tools (when open) configure it seems reasonable. This might be a bit tricky with Mixed Content 2 where non-blockable mixed content will be automatically upgraded, but I guess we would not upgrade that either then. Developer tools should maybe be involved in the design of that to some extent to see how many options we need code-wise.
Comment 8•4 years ago
|
||
I was hoping that we could consider blockable mixed content an error and not have to go further than to explain the error to web developers. I.e., remove all UI and configuration around it.
Would your assumption even apply for local testing? This is what bug 1569964 is focussed on. Use cases we see are non-HTTPS requests, secure context APIs, etc on local/staged projects on custom hosts.
Comment 9•4 years ago
|
||
Relatedly, maybe we could move this entire mechanism to disable mixed content protection to devtools and remove it from our identity UI?
Happy to take that on in the tools, if testing is the only remaining use case we are seeing for this pref.
Comment 10•4 years ago
|
||
I think the correct long term approach for local testing is what I mentioned in bug 1220810 comment 44. Use localhost or *.localhost domains or get a proper domain name and a certificate. Until that bug is fixed that approach is hard to promote. And even if that bug is fixed it's not clear to me if that is sufficient and you may well be correct that at least in the short-to-medium term it would help a lot to have overrides available (with the appropriate mitigations in place, such as developer tools being open or only on Nightly/Dev).
I think I saw mixed content differently as you need something over HTTPS for that to even be an issue, but it is the scenario OP had and it might well be common enough to warrant addressing I guess.
Comment 11•4 years ago
|
||
I think the correct long term approach for local testing is what I mentioned in bug 1220810 comment 44.
Was there some validation done that *.localhost
is something a lot of developers do or that it is a long-term solution? If users would have the technical choice to just use localhost
then there would be much less threads about disabling web security for local development. I have to dig a bit deeper to research what developers expext and where this is going.
I think I saw mixed content differently as you need something over HTTPS for that to even be an issue, but it is the scenario OP had and it might well be common enough to warrant addressing I guess.
That is true. CORS and Secure Context are probably higher on the list than mixed content.
Updated•2 years ago
|
Description
•