[Interest] wss:// on localhost

Mårten Nordheim marten.nordheim at qt.io
Tue Aug 4 16:44:06 CEST 2020 

Ah sorry. What I meant is that I had a secure website (https://myothercomputer/app.html) which initiated a websocket connection to ws://127.0.0.1, and it works fine.
You have to use "127.0.0.1" in this case and not "localhost" due to the fact that you can remove or change what "localhost" should point to.

Mårten

________________________________________
From: Alexander Carôt <alexander_carot at gmx.net>
Sent: Tuesday, August 4, 2020 15:04
To: Mårten Nordheim
Cc: Thiago Macieira; interest at qt-project.org
Subject: Aw: Re: [Interest] wss:// on localhost

Hi Marten,

>> Looking at https://letsencrypt.org/docs/certificates-for-localhost/ they mention that "modern" browsers let you make insecure connections to
>>127.0.0.1.
>> Tested locally with a secure website connecting to ws://127.0.0.1 and it works fine. Which browsers do or don't support it I'm not sure though,
>>but it could be enough for your use-case?

ws on 127.0.0.1 is not the problem. The problem is *mixed content* with ws on localhost: Almost any up2date CMS or web use case in general requires me to apply SSL (https) and I cannot run an unsecure websocket from a secure site. This sounds like a trivial problem but in practice this leads to my conclusion below.

Best

Alex

--
http://www.carot.de
Email : Alexander at Carot.de
Tel.: +49 (0)177 5719797


> Gesendet: Dienstag, 04. August 2020 um 10:00 Uhr
> Von: "Mårten Nordheim" <marten.nordheim at qt.io>
> An: "Alexander Carôt" <alexander_carot at gmx.net>
> Cc: "Thiago Macieira" <thiago.macieira at intel.com>, "interest at qt-project.org" <interest at qt-project.org>
> Betreff: Re: [Interest] wss:// on localhost
>
> Looking at https://letsencrypt.org/docs/certificates-for-localhost/ they mention that "modern" browsers let you make insecure connections to 127.0.0.1.
> Tested locally with a secure website connecting to ws://127.0.0.1 and it works fine. Which browsers do or don't support it I'm not sure though, but it could be enough for your use-case?
>
> Mårten
>
> ________________________________________
> From: Interest <interest-bounces at qt-project.org> on behalf of Alexander Carôt <alexander_carot at gmx.net>
> Sent: Tuesday, August 4, 2020 09:51
> To: Alexander Carôt
> Cc: Thiago Macieira; interest at qt-project.org
> Subject: Re: [Interest] wss:// on localhost
>
> >> A conventional html page (classical web browser) launches a websocket via wss://localhost:1234 and connects to a Qt
> >application which hosts a QtWebsocket Server which binds to localhost:1234. This way I achieve communication between browser
> >>and app. Would love to stay with ws:// but modern CMS (well - websites in general) etc. require using SSL and mixed content is
> >>not working anymore.
>
> 1) For now I do accept that wss://localhost:wxyz is not possible because
>
> 2) I identified a workaround: Rather than a websocket I create a UDP socket on localhost and choose WebRTC within the browser in order to send UDP messages.
>
> 3) Is it worth doing further discussion about wss://localhost.abcd or do we have to accept also in the long term ? It would be a shame because it's such a convenient solution.
>
> 4) It's also a shame how the Internet has become - I still have a mindset of the year 2000 where the web was not really a significant resource of criminal intent. I understand this can lead to misunderstanding ;-)
>
> 5) Thanks for all the comments - I actually learnt a lot regarding security !
>
>
> Best
>
> Alex
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>

More information about the Interest mailing list