3

I'm trying to make desktop application that receives messages from a page running in the browser. The desktop application can be written in any way, i just need to be able to talk to it from the browser. The web site is written in angular. I don't care about the response from the desktop application or need to communicate back to the browser in any way. Serving the website over https is causing issues though (but a requirement), and I was wondering what a good way around those would be.

The ideal solution was to make the app a web server and just have the website post to localhost:PORT and the server would get the request and do what it needed to do. however, since the website is served over https, it blocks the http request to localhost due to mixed content rules.

i tried submitting a form on the page and having the target be a hidden iframe, but that also gets blocked due to it not being https.

I tried changing the target to be _blank, and that "worked" but it opens a new tab with the response in it, which would be really annoying while you're using the website (it's supposed to be in the background). I set up the response to have a window.close in it, but the window still flickers for a second each time and it's something i would like to avoid.

I tried making a self signed certificate for the desktop application's server but the browser blocks that until you accept it for the first time, and I don't want people to have to go to "https://localhost:1234" in their browser and accept the insecure. I'm imagining getting a valid certificate for a localserver isn't possible too.

Is there any to accomplish this? Thanks

bdwain
  • 1,665
  • 16
  • 35
  • have you considered/tried jsonp? – GitaarLAB Feb 28 '15 at 17:47
  • yes but doesn't it just help you get around the same origin policy? Wouldn't a script tag referencing an http site (instead of https) be blocked ? – bdwain Feb 28 '15 at 17:53
  • well, the fastest answer would be to TRY IT. Make an external script called tst.js with contents: `alert('jsonp loaded');` and host it on your server. Then in your active-destop (?) app, load the external script. – GitaarLAB Feb 28 '15 at 17:56
  • there are other ways to connect to a server other than http – charlietfl Feb 28 '15 at 18:04
  • Hmm, indeed, @charlieftl is right. If your `desktop application can be written in any way` meaning that you are not using an (embedded) browser (controll) (which is the thing that is enforcing the 'same origin policy'), then you can control the whole communication-flow.. – GitaarLAB Feb 28 '15 at 18:12
  • @GitaarLAB it was blocked. Mixed Content: The page at BLAH was loaded over HTTPS, but requested an insecure resource 'http://localhost:6795/tmp.js'. This request has been blocked; the content must be served over HTTPS. – bdwain Feb 28 '15 at 18:15
  • What is your host (what gave that error-message)? Is it a regular browser? What exactly do you mean by 'background desktop application'? – GitaarLAB Feb 28 '15 at 18:17
  • the same origin policy has not been an issue. I set my desktop server to return proper CORS headers. the browser the website runs in is the thing that would enforce the same origin policy though, not the desktop app. – bdwain Feb 28 '15 at 18:18
  • @GitaarLAB yes. I have a website (written in angular) running in chrome. I would like to set up a background task (easy to do in angular) that somehow sends a message to a desktop application running on the same computer as the browser. by background desktop application I just meant it's just running without any interaction. like a tray icon on windows or something along those lines. – bdwain Feb 28 '15 at 18:20
  • @charlietfl what alternatives to http do you think would work well from the browser? – bdwain Feb 28 '15 at 18:21
  • I think finally understand. A variation to one of the solutions given in [this Q&A](http://stackoverflow.com/questions/6793174/third-party-signed-ssl-certificate-for-localhost-127-0-0-1) and [this Q&A](http://stackoverflow.com/questions/21397809/create-a-self-signed-ssl-cert-for-localhost-for-use-with-express-node) *was* freely available under [readme.localtest.me/](http://readme.localtest.me/), however their certificates were revoked. That leaves the question, why do you need SLL for the traffic on the user's local machine? – GitaarLAB Feb 28 '15 at 18:57
  • i only need SSL for local traffic because of browser security rules that prevent you from talking to non https servers from pages served over https. – bdwain Feb 28 '15 at 19:34
  • @bdwain I have a similar web app that needs to request localhost. Have you finally find a way to load resource from https site to http localhost? Thanks! – leetom Dec 22 '17 at 08:50

1 Answers1

2

You can redirect the browser to http://localhost:PORT (e.g. using status code 302 or window.location in JS) and pass data to desktop app in query string. That should execute in browser without warning. Then you can return some html back from desktop app to browser. If your data for desktop app are too big to encode in query string, you can pass just url in query string where desktop app can download the data.

Juraj Majer
  • 567
  • 5
  • 10
  • wouldn't that leave my angular app and open whatever is returned by localhost? – bdwain Feb 28 '15 at 20:05
  • Yes, true. Maybe you can return some meaningful html incl. angular from localhost. I don't know your app or scenario. I used this approach once and in my scenario it was not user-unfriendly to load new page (from localhost) in browser. – Juraj Majer Feb 28 '15 at 20:18
  • One more idea (not tested): passive mix content (images etc.) are not blocked by default. Maybe you can try to load image in angular app from localhost and pass data to desktop app along (http://localhost:port/logo.jpg?). – Juraj Majer Feb 28 '15 at 20:42
  • oh i didn't think of an image tag. that might work well. i'll try it out. – bdwain Feb 28 '15 at 22:05
  • the image tag works and only gives warnings. it's not ideal, but sounds like it's the best option I have. thanks! – bdwain Mar 03 '15 at 21:51
  • @bdwain, I have the same question about all of this, and sorry by this later interruption, but, How you got img tag works? I were working all night long in that and I only got to pass parameters to my local server, I don´t know how to obtain some information from the server in this way. Thanks in advance – Jordy Baylac Aug 26 '16 at 20:06
  • @Jordy Baylac, I don't think it is possible using img tag to pass data from local server back to browser. As bdwain stated in his question "I don't care about the response from the desktop application". You can get only boolean info back - send img data to browser or don't send img data. And then check in JS if img was loaded. Another approach to this problem is stated in this spec https://eevertti.vrk.fi/documents/2634109/2858578/SCS-signatures_v1.0.1.pdf (chapter 2.3). In short: desktop app installs root cert to trust store and then you can post data to https://localhost without warning. – Juraj Majer Sep 06 '16 at 14:42
  • Yes it's possible, I did it recently, using steganogaphy. Thanks for the answer, I will see that point of view. – Jordy Baylac Sep 06 '16 at 17:51