-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsecure websocket connection #2
Comments
We're already using |
yeah that sounds a bit annoying. In the |
Yep, there's more important (and fun) stuff to do now. But found that Chromium (and thus Chrome) seems to forbid |
I guess those two posts are relevant (probably more the second one) |
And a post on how to generate the self-signed certificate https://letsencrypt.org/docs/certificates-for-localhost/ I guess that could just be done and ship the certificates like they do in HTTP.jl (https://github.com/JuliaWeb/HTTP.jl/blob/master/test/cert.pem, https://github.com/JuliaWeb/HTTP.jl/blob/master/test/key.pem) Edit:
Maybe it's worth giving a shot? Edit 2: |
Making the OS globally trust such certificates seems to be very specific to each OS, even different Linux distros. That means it will be quite some work... How big of an issue would it be for the user of LiveServer to add an exception due to an untrusted certificate to the browser? |
Hmm I just wonder how these libraries ( |
Yep, Chrome is widely used. The only way to find out is to have a look at "the others"... |
Ok, <script id="__bs_script__">//<![CDATA[
document.write("<script async src='/browser-sync/browser-sync-client.js?v=2.26.3'><\/script>".replace("HOST", location.hostname));
//]]></script> That is, they asynchronously load the script file from the server, interpolating the host name into the script. I think we can stick with our solution of just pasting the few lines of code directly. As for the certificates, they do generate a self-signed one using openssl, cf. https://github.com/BrowserSync/browser-sync/blob/master/packages/browser-sync/certs/gen.sh. They AFAIK do not take measures to get rid of the browser warnings; when I run browser-sync --https the browser (Firefox in this example) opens and shows me that ugly
I can then add an exception... |
Hrm, but somehow |
So #36 is closed, and it was a server-side problem after all. So users of any browsers should be able to use LiveServer now. Do we still want to add self-signed certificates before the Initial Announcement? Could (ok, should...) be as simple as copying the shell-script from |
So if we keep it as you fixed it, they see an "insecure connection" warning and if we were to add the self-signed certificates then the warning would not show? If so I'd be in favour of the second one of course, but if an exception shows either way then why bother. And if that's the case (exception) then it should just be explained in the doc so people know. |
There's three options:
The question thus is whether we want to offer a dev-server which allows one to also test the behavior of his page under a secure connection. I'd say we should add it, i.e. go with the second option above (which is also what |
yeah that's great I would suggest doing (1) for the initial announcement and (2) for some further future (possibly with feedback from early users?) |
Agreed; removed it from the milestone. |
Hi! I think we can close this old issue! Some comments:
|
It looks like using
sec-websocket-key
is what we want (?) (see also this so post). It looks like it's possible to do that with HTTP.jl as per these lines.The text was updated successfully, but these errors were encountered: