Re: Mixed-content XHR & Websockets

Tue, 13 Aug 2013 16:05:24 -0700 

Just want to add a few notes here.
Firefox has blocked Mixed Content websockets for a long time; this is enforced in the websockets code itself. Because of this, the new Mixed Content Blocker code returns early when it see's a websocket request - http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsMixedContentBlocker.cpp#249. Hence, MCB has punted to the websocket code to make decisions about what to allow/deny. 


Firefox and Chrome's definition of Mixed Active Content differs in 3 
main ways.  Firefox treats mixed iframes, xhr, and fonts as active 
content.  In Chrome 30, mixed iframes will move to the active category 
(you can test this out in the current Chrome Canary).  Chrome is also 
planning to move mixed xhr to the active category soon (but I don't know 
exactly when).  When this happens, the only difference in our 
implementations will be mixed content fonts.  External fonts are not 
that common and mixed content fonts don't break the web since browsers 
will just fall back to the default, so I'm not too worried about this.


On 7/30/13 9:27 AM, Nicholas Wilson wrote:

On 27 July 2013 02:18, Daniel Veditz <[email protected]> wrote:

Uniformity is indeed important. Are you implying that some other browser
is NOT blocking mixed-content WebSockets?

For completeness, we're just checking the whole range of browsers at the moment.

OK, thanks to a helpful intern we have the full run-down:

Browsers that block mixed-content WebSockets:
  * Firefox (v22 & v23 tested, on Win/OSX/Ubuntu)
  * Firefox mobile (v22 on Android)
  * IE 10 and 11-preview (Windows 7)
  * IE 10 on SurfaceRT

Browsers that allow mixed-content WebSockets:
  * Chrome (vv28-30 tested, on Win/OSX/Ubuntu)
  * Safari (v5 & v6 tested on Win/OSX)
  * Opera (v15 & v16-next on Win/OSX)
  * Safari on iOS 6
  * Chrome 28 on iOS 6
  * Chrome (v18 as stock browser on Android 4.2 on an S4, and v28
installed from Play)
  * Opera mobile (v14, v12 "Classic" on Android)

Browsers without WebSockets at all:
  * IE 8, 9
  * Opera mini
  * Opera 12

Test details: open https://www.websocket.org/echo.html. Make a wss://
connection. Make a ws:// connection.

So IE and Firefox are on one side, Opera and Chrome and Safari on the
other. Hardly any mobile browser users are having mixed-content
WebSockets blocked.

Nicholas

-----
Nicholas Wilson: [email protected]
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security


_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security






















					Reply via email to