-1

This question really addresses cross-domain requests to Localhost, at the same time as the problem of secure websites accessing local services in the absence of control over the local network (setting up DNS, or other solutions). Specifically Safari and Chrome allow mixed access to localhost, while FF 23+ does not.

We do not want to inconvenience users and force them to use a single browser.

  1. Can we use JSONP to access plain http servers running on localhost from web pages served securely? (our initial experiments say this can work)

  2. Will other browser manufacturers follow suit and bar mixed content access from localhost like FF?

FF have a feature request for this for over a year and nothing has happened, besides a lot of discussion. See: https://bugzilla.mozilla.org/show_bug.cgi?id=903966

Our feeling is that other browsers will also tighten security.

Ron Wertlen
  • 830
  • 10
  • 24
  • 1
    Take a look at [this question](http://stackoverflow.com/questions/613962/is-jsonp-safe-to-use) for some discussion on JSONP security. Personally, I don't see how browsers could possibly stop supporting it, since it's not much different from a plain script request to a third party domain, which will always be supported. – Joe Enos Sep 25 '14 at 15:33
  • Why would you want to program an alternative protocol? CORS + proper markup language is totally fine. – Bergi Sep 25 '14 at 15:45
  • Thanks for your comments and the downvote. I adjusted the question to compensate. – Ron Wertlen Sep 30 '14 at 07:41

1 Answers1

0

  1. No. You cannot use JSONP to overcome the mixed content restriction for localhost on FF 23+. The initial experiments were wrong and FF applies its mixed content rules consistently. I found a very good document [1] which basically outlines the following possibilities:

    • Use a fully-qualified domain name certificate and DNS domain suffix search. This carries costs
    • Use an enterprise/private CA (local Certificate Authority) to issue and trust certificates for non-unique names
    • Manually provision trust in self-signed certificates - let the user import your certificates into the browser.
    • Use IPSec
    • Additionally, you can program a plugin for FF
  1. If you examine this thread at Mozilla, https://bugzilla.mozilla.org/show_bug.cgi?id=844556#c58 there is a comparison to IE's intranet mode, which causes problems for users and developers alike because it is non-standard and for other reasons discussed there. I expect most manufacturers will follow.

[1] href="https://www.globalsign.com/resources/white-paper-internal-server-names-ip-address-requirements.pdf"

Ron Wertlen
  • 830
  • 10
  • 24