How to access an insecure websocket from a secure website?

时光怂恿深爱的人放手 提交于 2020-12-31 06:25:13

问题


TL;DR: A website is served over HTTPS and needs to access a WebSockets server over an unencrypted channel (ws:// url). The browser doesn't like this.

Encrypting the websocket is possible, but inconvenient - there is no trusted authority which could sign the certificate and thus it will be needed to manually install it for every client. I'd like to leave that as the last resort.

The website must be served over HTTPS and cannot be downgraded to HTTP.

Is there any other way to bypass this restriction? I tried Content-Security-Policy, but it didn't work.


回答1:


Vix,

The scenario you're describing is one of the scenarios that were considered to be a security issue when the restrictions against opening non-secure Websocket connections were put in place.

A user visiting a secure website (HTTPS) assumes all data is secure. The browser will not allow non-secure communication within this context (unless it has a security fault). This should include asset requests and any other requests invoked within the secure context (expect "mixed content" messages to slowly fade into history, as restrictions tighten up).

It's even worst on some browsers. For example, Safari will refuse to open a secure Websocket connection to an unsigned server even if the webpage was loaded with temporary approval for the certificate.

Is there any other way to bypass this restriction?

I'm sorry to report that the short answer to your question is "no".



来源:https://stackoverflow.com/questions/45572440/how-to-access-an-insecure-websocket-from-a-secure-website

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!