Open Bug 1734976 Opened 4 years ago Updated 4 years ago

Websocket Allow Insecure From HTTPS to http://*.local hostnames

Categories

(Core :: DOM: Networking, enhancement, P3)

Product:
Core
Component:
DOM: Networking
Version:
Firefox 95
Type:
enhancement

Tracking

()

Tracking Flags:
Tracking Status
firefox95 --- affected

People

(Reporter: martin.chevignard, Unassigned)

Details

(Whiteboard: [necko-triaged])

There are usecases where a device can be connected on the local network with a hostname like pi.local (raspberry, etc). If you want to access it via the browser in HTTPS it is impossible without disabling the option network.websocket.allowInsecureFromHTTPS. Since the device is knowingly connected to the network, shouldn't it be considered as "trusted"?

Marking this as New to get further attention from developers as an enhancement. If this is not the right component, please change it to the correct one.

Status: UNCONFIRMED → NEW
Ever confirmed: true

"trusted" is not the same as "secure encrypted connection", and in fact on some networks the "local" net can be just as subjected to snooping as anywhere else. There's no way for the browser to know.

On the other hand this is not an uncommon problem that we'd like to address.

Component: Security → DOM: Security
Product: Firefox → Core

This is the early proposal (not a standard yet!) we're looking at: https://wicg.github.io/private-network-access/ This would not be a websocket-specific thing, it would apply to sub-resource loads generally

Component: DOM: Security → DOM: Networking
Severity: -- → N/A
Priority: -- → P3
Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.