Closed Bug 1468944 Opened 7 years ago Closed 5 years ago

Security Error: https://schalk.net is the secure reverse proxy for ws://localhost:3000 on a digitalocean droplet and it won't load in Firefox due to baseless security concern yet the insecure http://schalk.net worked fine.

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
61 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: pyschalk, Unassigned)

Details

Attachments

(1 file)

Screenshot from 2018-06-15 08-00-32.png showing error message.
249.56 KB, image/png
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 Build ID: 20180614220111 Steps to reproduce: I tried to load the page repeatedly. Actual results: Page won't load. Clicked F12 and saw: "SecurityError: The operation is insecure. sources.js:24". Page 24 of sources.js is "var socket = new WebSocket('ws://localhost:3055/');". Expected results: https://schalk.net should have loaded, just as the less secure http://schalk.net did before I added encryption. Making my site more secure caused Firefox to reject my page due to an erroneous security concern. ws://localhost:3055 can be reached only through https://schalk.net so there is no legitimate security concern.
Apparently everything in sources.js is being disregarded. "socket" is defined and "sources" is instantiated in the sources.js file. That would explain the ubsequent error messages erroneously saying "socket" and "sources" are undefined.
I recently attempted to load http://schalk.net with versions 62.0a1 (2018-06-14) (64 bit) and 60.0.2-1, both to no avail.
This is reproducible on windows 10 with latest Nighty build. It does not load the page and console shows the error, SecurityError: The operation is insecure. Test env't ---------- Version 62.0a1 Build ID 20180619220118 Update Channel nightly User Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true

Hello Schalk,

I'm sorry your bug remained in Bugzilla limbo for so long. :( The reason this was failing is because you cannot access non-secured WebSocket resources when loading the document over HTTPS. You'd need to use the wss:// WebSocket protocol over SSL in order to connect to the socket.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: