Mixed Content Warning when using localhost Gateway
#328
Comments
lidel
added
kind/discussion
|
I think the OS is a concern we should doublecheck -- I know that both FF and Chrome have been pretty inconsistent on multiple vectors when it comes to IPv6 DNS (changed behaviour over time, different behaviour on different OSes, config flag removals). This in particular doesn't directly affect what we're doing, it's just something to check. Otherwise sounds good to me! |
|
@lgierth yeah, after I created this issue started playing with |
|
I'm in favour of switching back to 127.0.0.1 and fixing the mixed content warning. |
|
Alright, this change landed in v2.1.1beta6 🌵 |
- longer hostnames are truncated and no longer break status popup - `127.0.0.1` is normalized to `localhost` when Preferences are saved - IPFS resources on localhost are excluded from gateway redirect (this solves problems with multiple nodes running locally) - closes #291
|
same problem here,my website https://musing-pare-9e8d81.netlify.com/ it show me that |
|
For the record, this changed at some point and
We should flip normalization, as |
jessicaschilling
added
topic/design-ux
This one is kind of Rube Goldberg machine, so I'll start with a bit of background information.
Mixed Content warning happens when a page loaded over HTTPS contains a resource (eg. image) that is loaded from insecure HTTP. Browser vendors recognized that loading content over unencrypted HTTP from the box browser is running on is a special case that provides similar security guarantees to HTTPS over the internet, so they whitelisted
127.0.0.1and it no longer trigger the warning.IPFS Companion defaults to using
localhostinstead of127.0.0.1since #291 was closed. To be more specific, if user enters gateway URL that includes127.0.0.1it will be replaced with hostnamelocalhost.The goal was to improve UX in Location Bar (
localhostlooks much better than raw IP), but it came with unexpected side effect regarding Mixed Content whitelisting implemented in Firefox and Chrome. It seems that browsers whitelisted127.0.0.1but notlocalhost, which still produces Mixed Content warning.In our use case, the Mixed Content Warning is triggered when there is an IPFS resource on HTTPS page and ipfs-companion's redirect loads it from Local Gateway that has
localhostin its URL.(I used pls.watch as a PoC in examples below, because it is a public HTTPS site that enables users to trigger Mixed Content Warning by loading external resources from HTTP URLs)
127.0.0.1(O.K.)Firefox: the green padlock
Chrome: the green padlock + "Secure"
localhost(Mixed Content Warning)Firefox: grey padlock with warning
Chrome: no padlock, warning under
(i)iconFor now, we need to decide what is more important:
localhostin Location Bar at a cost of signaling that use of local IPFS gateway is somehow "not secure"or
127.0.0.1in location bar.Personally, I think "keeping the green padlock" is more important and we should go back and default to
127.0.0.1. Rationale: we can work with browser vendors to whitelistlocalhostand switch back to it at a later time, when it does not cause Mixed Content Warning.I am usually biased towards security over UX, so would love to hear what others think before doing any changes.
References:
127.0.0.1since v55)127.0.0.1since v53)The text was updated successfully, but these errors were encountered: