We have a websocket server on port 8080 setup on a Linode box. Chrome and Opera work just fine. Firefox however complains that the operation is insecure.
"The operation is insecure: Code 18"
If I try to create a new WebSocket object in the web console before the page is loaded everything is fine. However, after the page loads something is screwy then I cannot create the object anymore. See the attached screenshot.
I have no idea what operation is insecure or even how to go about diagnosing this.
Some WebSockets security vulnerabilities arise when an attacker makes a cross-domain WebSocket connection from a web site that the attacker controls. This is known as a cross-site WebSocket hijacking attack, and it involves exploiting a cross-site request forgery (CSRF) vulnerability on a WebSocket handshake.
The WebSocket inspector will be released in Firefox 71, but is ready for you to use in Firefox Developer Edition now.
Avoid using WebSockets if only a small number of messages will be sent or if the messaging is very infrequent. Unless the client must quickly receive or act upon updates, maintaining the open connection may be an unnecessary waste of resources.
As you point out in another answer, https://
to ws://
is disallowed by default on firefox.
Going to firefox's about:config
and toggling network.websocket.allowInsecureFromHTTPS
will get rid of the SecurityError
.
I fixed this. The app itself is under SSL but the websocket being accessed is not. Chrome and Opera don't care but Firefox does. According to:
https://bugzilla.mozilla.org/show_bug.cgi?id=303952
This is known and is not considered a bug. Mozilla's response: wontfix
Solution, put websocket server under SSL and use wss://
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With