[Interest] wss:// on localhost

Alexander Carôt alexander_carot at gmx.net
Tue Aug 4 15:04:37 CEST 2020 

Hi Marten,

>> Looking at https://letsencrypt.org/docs/certificates-for-localhost/ they mention that "modern" browsers let you make insecure connections to 
>>127.0.0.1.
>> Tested locally with a secure website connecting to ws://127.0.0.1 and it works fine. Which browsers do or don't support it I'm not sure though, 
>>but it could be enough for your use-case?

ws on 127.0.0.1 is not the problem. The problem is *mixed content* with ws on localhost: Almost any up2date CMS or web use case in general requires me to apply SSL (https) and I cannot run an unsecure websocket from a secure site. This sounds like a trivial problem but in practice this leads to my conclusion below.

Best

Alex

--
http://www.carot.de
Email : Alexander at Carot.de
Tel.: +49 (0)177 5719797


> Gesendet: Dienstag, 04. August 2020 um 10:00 Uhr
> Von: "Mårten Nordheim" <marten.nordheim at qt.io>
> An: "Alexander Carôt" <alexander_carot at gmx.net>
> Cc: "Thiago Macieira" <thiago.macieira at intel.com>, "interest at qt-project.org" <interest at qt-project.org>
> Betreff: Re: [Interest] wss:// on localhost
>
> Looking at https://letsencrypt.org/docs/certificates-for-localhost/ they mention that "modern" browsers let you make insecure connections to 127.0.0.1.
> Tested locally with a secure website connecting to ws://127.0.0.1 and it works fine. Which browsers do or don't support it I'm not sure though, but it could be enough for your use-case?
> 
> Mårten
> 
> ________________________________________
> From: Interest <interest-bounces at qt-project.org> on behalf of Alexander Carôt <alexander_carot at gmx.net>
> Sent: Tuesday, August 4, 2020 09:51
> To: Alexander Carôt
> Cc: Thiago Macieira; interest at qt-project.org
> Subject: Re: [Interest] wss:// on localhost
> 
> >> A conventional html page (classical web browser) launches a websocket via wss://localhost:1234 and connects to a Qt
> >application which hosts a QtWebsocket Server which binds to localhost:1234. This way I achieve communication between browser
> >>and app. Would love to stay with ws:// but modern CMS (well - websites in general) etc. require using SSL and mixed content is
> >>not working anymore.
> 
> 1) For now I do accept that wss://localhost:wxyz is not possible because
> 
> 2) I identified a workaround: Rather than a websocket I create a UDP socket on localhost and choose WebRTC within the browser in order to send UDP messages.
> 
> 3) Is it worth doing further discussion about wss://localhost.abcd or do we have to accept also in the long term ? It would be a shame because it's such a convenient solution.
> 
> 4) It's also a shame how the Internet has become - I still have a mindset of the year 2000 where the web was not really a significant resource of criminal intent. I understand this can lead to misunderstanding ;-)
> 
> 5) Thanks for all the comments - I actually learnt a lot regarding security !
> 
> 
> Best
> 
> Alex
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>

More information about the Interest mailing list