-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent mixed content warnings for TLS sites embedding ipfs URIs #75
Comments
I am okay with adding the flag: content-addressing provides better protection against MITM than TLS anyway (as long as user controls the gateway). We probably need to add a new section to SECURITY.md and explicitly advise people against use of custom gateways outside of their control. I am worried we don't see all security implications. Perhaps we should add this as a separate preference (disabled by default): |
It would be great to have this, currently for example https://ipfs.pics doesn't work on the redirect, one has to use http version which is much much worst. Also FF people are considering making all localhost as trusted content, only opposition are those who want to block browser off localhost completely. https://bugzilla.mozilla.org/show_bug.cgi?id=903966 |
I tried to replicate, but https://ipfs.pics/QmR48aP79GaXfs5rh469kAJw9wDLA5yYrcgsL5gyuQjmBe loads http://127.0.0.1:8080/ipfs/QmR48aP79GaXfs5rh469kAJw9wDLA5yYrcgsL5gyuQjmBe just fine, the only drawback is mixed-content warning: Am I missing something? |
Hmm, I thought it was blocking the mixed content completely but it looks like it works now. Sorry for that. |
Update via Bug 903966 - Don't block mixed content from localhost:
|
I just confirmed that there is no "mixed content" warning under Firefox 56 when using local ( |
I install stunnel on 8443 port and make certificate for 127.0.0.1 and other domains. Root certificate (rootcert.pem or rootcert.crt) need to be added to trusted certificate repository. Then site can detect by JavaScript that local gateway available on 8443 port and switch to it. |
Adding
nsiProtocolHandler.URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT
to the handlers should allow the URI schemes to be used to load subresources into secure contexts.Public gateways use TLS anyway and thus can already be embedded as 3rd party content. Private gateways hopefully are under control of the user / in a trusted network.
The text was updated successfully, but these errors were encountered: