63

We have a websocket server on port 8080 setup on a Linode box. Chrome and Opera work just fine. Firefox however complains that the operation is insecure.

"The operation is insecure: Code 18"

If I try to create a new WebSocket object in the web console before the page is loaded everything is fine. However, after the page loads something is screwy then I cannot create the object anymore. See the attached screenshot.enter image description here

I have no idea what operation is insecure or even how to go about diagnosing this.

bcardarella
  • 4,667
  • 4
  • 29
  • 45
  • 1
    I should note that this works fine in development mode connecting to localhost. The Websocket server is exposed directly to the internet on Linode – bcardarella Aug 01 '12 at 22:01
  • Is this a new version of Firefox? They disabled Websockets for a few versions due to security issues. – Dreen Aug 01 '12 at 22:03
  • @Dreen it is the latest but as you can see on the top of the screenshot I am able to establish a Websoccket connection without issue before loading the page – bcardarella Aug 01 '12 at 22:04

6 Answers6

93

As you point out in another answer, https:// to ws:// is disallowed by default on firefox.

Going to firefox's about:config and toggling network.websocket.allowInsecureFromHTTPS will get rid of the SecurityError.

frogatto
  • 28,539
  • 11
  • 83
  • 129
Frandromedo
  • 959
  • 5
  • 4
67

I fixed this. The app itself is under SSL but the websocket being accessed is not. Chrome and Opera don't care but Firefox does. According to:

https://bugzilla.mozilla.org/show_bug.cgi?id=303952

This is known and is not considered a bug. Mozilla's response: wontfix

Solution, put websocket server under SSL and use wss://

bcardarella
  • 4,667
  • 4
  • 29
  • 45
  • 8
    Can you provide info on how to `put websocke server under SSL and use wss://` I'm not sure what exactly you mean to do that. – Leeish Mar 19 '14 at 15:30
  • @Leeish To use make a secure websocket client, just specify the url with `wss://`. To enable SSL/TLS on the server, you need to refer to the documentation of whatever websocket server you are using. It is possible that TLS is not supported. – newprogrammer Jan 14 '15 at 19:34
  • I don't think this bugzilla link is correct, it (currently) points to something about HTTPS certificate mismatches when using SSL tunneling. The solution is still technically correct, though IMHO the better fix is to turn on `allowInsecureFromHTTPS` so Firefox behaves like other browsers... – Coderer Jul 20 '17 at 15:32
  • Unfortunately you can't ask your (test) users to change firefox config for that, nor always ask to install a custom certificate if you can't afford one. – Kyordhel Nov 24 '17 at 22:47
  • 1
    Thank you so much for this answer. Was pulling my hair out and the solution came down to adding a single character on the frontend ('ws://' to 'wss://'). – NateQ May 22 '18 at 16:16
0

This is a hunch based off limited info, and I probably should put this into a comment, but I don't have enough reputation points to do that yet.

Looking at your log, it seems as if 24 seconds are passing from the receipt of [object Websocket] (time 17:46:36.683) until you get The connection to ws://.....(time 17:47:00:952) error message.The long delay leads me to believe that the server could be timing out and closing the websocket connection. Look at this answer for a potential solution.

Community
  • 1
  • 1
laker
  • 569
  • 1
  • 4
  • 17
  • If that is the case then why is Chrome and Opera working just fine? – bcardarella Aug 01 '12 at 23:50
  • good point, probably not a server-side timeout unless the server responds differently to different user-agents, which is unlikely... – laker Aug 01 '12 at 23:55
  • actually, it could be possible that the same time-out is occurring, regardless of browser, but that only Firefox is reporting a securityError. Are other browsers re-establishing a websocket? BTW does Linode support websocket? A quick google search provided no conclusive info – laker Aug 02 '12 at 00:03
  • the application is working fine with Chrome and Opera, the websocket server is performing as expected. We have multiple concurrent users with those browsers and no hiccups. – bcardarella Aug 02 '12 at 00:39
  • As far as Linode's websocket support, there is no "support" of Websockets as Linode just provides a VPS. It is up to us to build the server. The websocket server itself is exposed directly to the internet, no proxy inbetween. – bcardarella Aug 02 '12 at 00:40
0

Had the same problem and attempted to fix by changing network.websocket.allowInsecureFromHTTPS in about:config which did not work.

Ended up finding this post => Unhandled Rejection (SecurityError): The operation is insecure. On a fresh create-react-app project

Changing this in index.js ended up working for me

serviceWorker.register();
//serviceWorker.unregister();
AvidDabbler
  • 551
  • 6
  • 19
0

Open "about:config" url in firefox. Search for allowInsecureFromHTTPS and set it to true

user665327
  • 1
0

Beside secure ssl context and cross-origin policies, assigning some port can trigger the error as well.

What are valid http ports for Firefox? I don't know precisely, but have to be between 1500 and 64000, or the console will display:

SecurityError: The operation is insecure.

And http links will say:

This address is restricted

This address uses a network port which is normally used for purposes other than Web browsing.
Firefox has canceled the request for your protection.

enter image description here

NVRM
  • 11,480
  • 1
  • 88
  • 87