Issue 367149 in chromium: Remove flag allow-insecure-websocket-from-https-origin

[chro...@googlecode.com]

Status: Assigned
Owner: tyos...@chromium.org
CC: dslo...@chromium.org
Labels: Type-Bug Pri-2 Cr-Enterprise Cr-Blink M-43 OS-Linux OS-Mac
OS-Windows

New issue 367149 by sas...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
http://code.google.com/p/chromium/issues/detail?id=367149

NOT TO BE IMPLEMENTED BEFORE M43. Filed for tracking only until that
milestone.

A temporary flag allow-insecure-websocket-from-https-origin is being
introduced in 36 timeframe to allow some apps to not break on Chrome 36
when this will be disabled in general. This bug is being filed far far in
advance to remove this flag in future after giving a reasonable time window
for app developers & customers to adapt.

For reference, CLs related to the introduction of this flag
https://codereview.chromium.org/248863003/
https://codereview.chromium.org/246893014/

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #1 on issue 367149 by cjaent...@googlemail.com: Remove flag
allow-insecure-websocket-from-https-origin
http://code.google.com/p/chromium/issues/detail?id=367149

Now how are we supposed to solve this problem:

An https webapp wants to connect to a local Server via websocket (to
control local peripherals) ...?

[chro...@googlecode.com]

Comment #2 on issue 367149 by sunm...@gmail.com: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

We want this flag to allow https to ws on localhost too.

[chro...@googlecode.com]

Updates:
Cc: mk...@chromium.org
Labels: Cr-Blink-WebSockets

Comment #3 on issue 367149 by tyos...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

+mkwst

There's a proposal to treat local resource as secure. But also there's a
proposal to block access from web resource to local resource (see
http://crbug.com/378566).

At least we'll remove support for non localhost cases on M43.

[chro...@googlecode.com]

Comment #5 on issue 367149 by tyos...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

It's time to do this.

[chro...@googlecode.com]

Comment #6 on issue 367149 by cben...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

Yes, this should definitely follow the "secure origins" rules for powerful
features - so it would work on localhost even if not on https for example.

[chro...@googlecode.com]

Comment #7 on issue 367149 by mk...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

Really?

The mixed content spec doesn't distinguish between loopback and
non-loopback (at least partially because of the plans in
https://crbug.com/378566), and the mixed content checker doesn't
distinguish either. It's not clear to me that it's a good idea to allow
insecure local loopback, period.

As discussed on that other bug, getting rid of secure local loopback is
appealing, and I don't think we've shut the door on it at all. Quite the
contrary.

[chro...@googlecode.com]

Comment #8 on issue 367149 by tyos...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

#2: Does your use case require that the flag is changeable at about:flags?
You can still specify the --allow-running-insecure-content command line
flag to turn off the mixed content check. Of course, before using it, you
should understand what the flag means and avoid using it for running
untrusted applications.

[chro...@googlecode.com]

Updates:
Status: Started

Comment #9 on issue 367149 by tyos...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

Patches are ready:
- Chromium: https://codereview.chromium.org/1032603003/
- Blink: https://codereview.chromium.org/1031833004/

[chro...@googlecode.com]

Comment #10 on issue 367149 by tyos...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

Mike introduced the MixedContentWebSocket use counter on
d6533e03d9a0f9b613d9cee2a40d1bd9a1e5c58f (Jan 8 2015).

https://www.chromestatus.com/metrics/feature/timeline/popularity/663

[chro...@googlecode.com]

Comment #11 on issue 367149 by bugdro...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149#c11

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src.git/+/c78545dbec6276a41f922d0f11c908fcd0d5789a

commit c78545dbec6276a41f922d0f11c908fcd0d5789a
Author: tyoshino <tyos...@chromium.org>
Date: Mon Mar 30 07:09:32 2015

Remove allow-insecure-websocket-from-https-origin flag

R=mkwst,jochen
BUG=367149

Review URL: https://codereview.chromium.org/1032603003

Cr-Commit-Position: refs/heads/master@{#322748}

[modify]
http://crrev.com/c78545dbec6276a41f922d0f11c908fcd0d5789a/chrome/browser/about_flags.cc
[modify]
http://crrev.com/c78545dbec6276a41f922d0f11c908fcd0d5789a/content/browser/renderer_host/render_process_host_impl.cc
[modify]
http://crrev.com/c78545dbec6276a41f922d0f11c908fcd0d5789a/content/public/common/content_switches.cc
[modify]
http://crrev.com/c78545dbec6276a41f922d0f11c908fcd0d5789a/content/public/common/content_switches.h
[modify]
http://crrev.com/c78545dbec6276a41f922d0f11c908fcd0d5789a/content/renderer/render_view_impl.cc

[chro...@googlecode.com]

Comment #12 on issue 367149 by tyos...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

Flag removal CL has been landed. It'll be included in the M43 branch.

[chro...@googlecode.com]

Comment #13 on issue 367149 by tyos...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

322748 is included in the branch 2351

[chro...@googlecode.com]

Comment #17 on issue 367149 by tyos...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

This about:flags was provided to have migration period for apps that were
depending on ws:// on https:// page. The period ended. We won't revive the
flag.

You can run Chrome with --allow-running-insecure-content flag to allow
mixed content WebSokcket so far though you must understand the security
risk of the option. We don't guarantee availability of this flag in the
future.

[chro...@googlecode.com]

Comment #18 on issue 367149 by tyos...@chromium.org: Remove flag
allow-insecure-websocket-from-https-origin
https://code.google.com/p/chromium/issues/detail?id=367149

Reply to https://codereview.chromium.org/248863003/#msg20

See https://www.chromium.org/getting-involved/download-chromium and use
https://omahaproxy.appspot.com/ to check correspondence between revision
number and Chromium version number.