Re: Websockets Dev Derby question

[John Karahalis]

Er, + MDN development team. :-)

On 05/04/2012 11:28 AM, John Karahalis wrote:
> Thanks for bring this to my attention, Janet. I see that ondras just
> submitted three great demos.
>
> + MDN development team. What do you guys think?
>
> On 05/04/2012 11:24 AM, Janet Swisher wrote:
>> Earlier today on IRC, 'ondras' was asking about the May Dev Derby,
>> which is for WebSockets.
>>
>> ondras: may devderby is websocket
>> [03:04am] ondras: the mozilla demos website is https
>> [03:04am] ondras: firefox does not permit https pages to make ws://
>> connections
>> [03:04am] ondras: e.g. in order to submit a working websocket demo,
>> one must use wss://
>> [03:04am] ondras: and firefox does not support wss:// with selfsigned
>> certificates
>> [03:04am] ondras: => if you want to participate in may devderby, you
>> must have a paid cert
>> [03:04am] ondras: not very nice
>>
>> So, what is our solution? I seem to recall some discussion about free
>> Websocket services. Whatever it is, we should make it very clear.
>>
>>
>

--
John Karahalis
Developer Engagement
@openjck

[Luke Crouch]

Demo creators should be able to set up wss:// hosting w/ nodejitsu.
Beaconpush does NOT support it. Not sure about pusher.com

Guillermo,

Can you give us advice to pass along to users who need wss:// hosting?

Thanks,
-L

[Luke Crouch]

There's also an about:config setting in Firefox:

network.websocket.allowInsecureFromHTTPS

Set to true.

-L

> _______________________________________________
> dev-mdn mailing list
> dev...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-mdn

[John Karahalis]

This is the first Derby with a server-side component. We recommended a
few free hosting services that support Websockets in the description of
the May contest <https://developer.mozilla.org/en-US/demos/devderby>.

My view is that judges should only take into account what they actually
see. What they see may be determined by work being done on another
server, but that's not as important. We judge on four categories:
technology, originality, aesthetics, practicality. The latter three are
not really affected by the logic that runs on the websocket server, and
"technology" can be gleaned by reading through the client-side code that
is submitted to the Derby. To use an analogy, the originality and
practicality of Mozilla.org are not really dependent on the Python code
that makes it run.

But that's just my view. I am happy to hear what you all think.

I will blog about the May Derby on Monday and will be sure to clarify
these points when I do.

On 05/04/2012 11:47 AM, David Bruant wrote:
> I have no response, but some additional questions and comments:
>
> Where will the websocket server-side code be hosted?
>
> On the "Submit a demo" page [1] is written: "Your demo should be built
> on *client-side technology* (HTML, CSS, JavaScript). Server-side
> languages like PHP and Ruby are not supported." It seems hard to do
> WebSocket without coding a server-side part :-)
>
> Regarding judging, will the server-side part will be taken into
> account? Regardless of the response, it should be communicated clearly.
>
> David
>
> [1]
> https://developer.mozilla.org/en-US/demos/submit?tags=challenge%3A2012%3Amay

>
> Le 04/05/2012 17:29, John Karahalis a écrit :
>> Er, + MDN development team. :-)
>>
>> On 05/04/2012 11:28 AM, John Karahalis wrote:
>>> Thanks for bring this to my attention, Janet. I see that ondras just
>>> submitted three great demos.
>>>
>>> + MDN development team. What do you guys think?
>>>
>>> On 05/04/2012 11:24 AM, Janet Swisher wrote:
>>>> Earlier today on IRC, 'ondras' was asking about the May Dev Derby,
>>>> which is for WebSockets.
>>>>
>>>> ondras: may devderby is websocket
>>>> [03:04am] ondras: the mozilla demos website is https
>>>> [03:04am] ondras: firefox does not permit https pages to make ws://
>>>> connections
>>>> [03:04am] ondras: e.g. in order to submit a working websocket demo,
>>>> one must use wss://
>>>> [03:04am] ondras: and firefox does not support wss:// with
>>>> selfsigned certificates
>>>> [03:04am] ondras: => if you want to participate in may devderby,
>>>> you must have a paid cert
>>>> [03:04am] ondras: not very nice
>>>>
>>>> So, what is our solution? I seem to recall some discussion about
>>>> free Websocket services. Whatever it is, we should make it very clear.
>>>>
>>>>
>>>
>>
>

[John Karahalis]

I was planning to blog about the May Derby today, but I will defer it
until early next week when we figure out answers to these questions.
Kudos to ondras for bringing them up (and still submitting three great
demos regardless!).

I honestly can't call myself a Websockets expert. A couple of questions:

* Thanks for letting us know that Nodejitsu supports wss://
connections. Is that a moot point, however, since Firefox doesn't
support wss:// connections?
* You mention *network.websocket.allowInsecureFromHTTPS*. What effect
does setting this to *true* have? Does this force Firefox to connect
across ws:// connections even when one of the communication is HTTPS?
* What would be your recommendation for the best course of action
moving forward? Perhaps we should call out (in the blog and on the
Derby landing page) that developers should use normal ws://
connections and that users should modify
*network.websocket.allowInsecureFromHTTPS *to see the demos work
properly?

Thanks,
John

On 05/04/2012 03:03 PM, Luke Crouch wrote:
> There's also an about:config setting in Firefox:
>
> network.websocket.allowInsecureFromHTTPS
>
> Set to true.
>
> -L
>
> On 5/4/12 11:47 AM, Luke Crouch wrote:
>> Demo creators should be able to set up wss:// hosting w/ nodejitsu.
>> Beaconpush does NOT support it. Not sure about pusher.com
>>
>> Guillermo,
>>
>> Can you give us advice to pass along to users who need wss:// hosting?
>>
>> Thanks,
>> -L
>>
>> On 5/4/12 8:29 AM, John Karahalis wrote:

>>> Er, + MDN development team. :-)
>>>
>>> On 05/04/2012 11:28 AM, John Karahalis wrote:
>>>> Thanks for bring this to my attention, Janet. I see that ondras
>>>> just submitted three great demos.
>>>>
>>>> + MDN development team. What do you guys think?
>>>>
>>>> On 05/04/2012 11:24 AM, Janet Swisher wrote:
>>>>> Earlier today on IRC, 'ondras' was asking about the May Dev Derby,
>>>>> which is for WebSockets.
>>>>>
>>>>> ondras: may devderby is websocket
>>>>> [03:04am] ondras: the mozilla demos website is https
>>>>> [03:04am] ondras: firefox does not permit https pages to make
>>>>> ws:// connections
>>>>> [03:04am] ondras: e.g. in order to submit a working websocket
>>>>> demo, one must use wss://
>>>>> [03:04am] ondras: and firefox does not support wss:// with
>>>>> selfsigned certificates
>>>>> [03:04am] ondras: => if you want to participate in may devderby,
>>>>> you must have a paid cert
>>>>> [03:04am] ondras: not very nice
>>>>>
>>>>> So, what is our solution? I seem to recall some discussion about
>>>>> free Websocket services. Whatever it is, we should make it very
>>>>> clear.
>>>>>
>>>>>
>>>>
>>>

>> _______________________________________________
>> dev-mdn mailing list
>> dev...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-mdn

[Luke Crouch]

On 5/4/12 2:52 PM, John Karahalis wrote:
>
> * Thanks for letting us know that Nodejitsu supports wss://
> connections. Is that a moot point, however, since Firefox doesn't
> support wss:// connections?
>

Firefox supports wss:// connections. The original issue is that Firefox
doesn't support ws:// (i.e., insecure) connections from https:// (i.e.,
secure) pages like MDN.

>
> * You mention *network.websocket.allowInsecureFromHTTPS*. What
> effect does setting this to *true* have? Does this force Firefox
> to connect across ws:// connections even when one of the
> communication is HTTPS?
>

Yup, exactly. Before Firefox 8, Firefox always allowed ws:// connections
from https:// pages. Setting this to true sets Firefox 9+ back to the
less secure mode.

>
> * What would be your recommendation for the best course of action
> moving forward? Perhaps we should call out (in the blog and on the
> Derby landing page) that developers should use normal ws://
> connections and that users should modify
> *network.websocket.allowInsecureFromHTTPS *to see the demos work
> properly?
>

There's a few options. From most-preferred to least-preferred:

The best way is to encourage demo creators to deploy the server
component to a secure server with a *signed* ssl certificate and use
wss://. I just put together a quick example app showing this with
nodejitsu.com: https://github.com/groovecoder/nodejitsu-wss

Alternatively, demo creators can use ws:// and instruct users to set
network.websocket.allowInsecureFromHTTPS to true, but remind users to
set it back to false later.

Alternatively, demo creators can self-host with a self-signed
certificate and use wss://, but they'll need to instruct users to go
directly to the secure server host and add the self-signed certificate
as a security exception. Users will have to do this for every demo that
uses a different self-signing host. :(

-L

[Les Orchard]

On 5/4/12 3:03 PM, Luke Crouch wrote:
> There's also an about:config setting in Firefox:
>
> network.websocket.allowInsecureFromHTTPS
>
> Set to true.

FWIW, this is not something anyone should ever need to touch just to
view a demo. A demo creator with a dev setup, maybe, and only
temporarily then.

--
lorc...@mozilla.com
http://lmorchard.com
{web,mad,computer} scientist

[John Karahalis]

Thanks for the information, Les. Do you mean that people who view demos
/will/ never need to touch this, or that they /should /never touch this
for security reasons, etc.

On 05/07/2012 12:28 PM, Les Orchard wrote:
> On 5/4/12 3:03 PM, Luke Crouch wrote:
>> There's also an about:config setting in Firefox:
>>
>> network.websocket.allowInsecureFromHTTPS
>>
>> Set to true.
>
> FWIW, this is not something anyone should ever need to touch just to
> view a demo. A demo creator with a dev setup, maybe, and only
> temporarily then.
>

--

[Les Orchard]

Should never. If our suggested solution is that end-users downgrade their browsers' security to view demos, that's bad
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.