3

I have a small web application that needs to make calls to a device on my local network. It does this using fetch to the local IP address of the device (e.g. http://192.168.1.25:8060). The device does not serve its traffic over HTTPS and cannot. The web application is public facing and I would like to add a service worker for offline support.

Service workers require HTTPS, and calls from an HTTPS origin to a non-HTTPS origin are a security risk and so are not allowed by modern browsers. Without using a local proxy (which would defeat the purpose), is there some way around this "limitation"?

How can "https://example.com" make a call to http://192.168.1.25:8060?

Aaron Cicali
  • 1,496
  • 13
  • 24

1 Answers1

0

Possible duplicate of How can I allow Mixed contents (http with https) using content-security-policy meta tag?. Browsers won't allow this because it breaks the user trust model.

A local HTTPS proxy is ideal. Configure a public DNS entry like internal.example.com with a low TTL (if your internal IP changes often) to point to your internal IP. Create a trusted SSL cert for that subdomain, then run your local HTTPS proxy with that SSL cert. If your internal server is behind a firewall, point internal.example.com to a public web server first, create the cert on that public server, than copy the cert and change the DNS to your local server. Or use a wildcard cert *.example.com to avoid that "temporary public" hassle entirely.

anthumchris
  • 8,245
  • 2
  • 28
  • 53
  • thanks, but this application *could* be used by anyone with one of these devices. For this reason, the local IP address might need to be changed by the user through the application. I don't see any other way around this issue - it seems that offline support using a service worker is not an option :( – Aaron Cicali May 11 '20 at 04:45
  • 1
    What about running HTTPS with a self-signed CA that's explicitly trusted by the devices? – anthumchris May 11 '20 at 07:38
  • In this case, the devices are completely outside of my control. The device in question is a Roku TV. The web application can be found at http://remote.aaroncicali.com. The TV can be controlled by simple http requests. For my own personal device, I have the device's IP reserved in the router and hard-coded in the application. In the future I may add IP discovery of the device (or multiple devices). I'd also like to resolve this question and add offline support using a service worker. – Aaron Cicali May 12 '20 at 08:46
  • I believe the design of Service Workers makes it impossible to resolve my specific issue, but this answer is the most acceptable. Thanks @AnthumChris – Aaron Cicali May 28 '20 at 17:42
  • Just wanted to add that an HTTPS origin *can* make calls to `http://127.0.0.1` as it is considered a trusted origin. This may help if your goal is to make requests to a server on the same machine. – Aaron Cicali Aug 05 '20 at 18:16