[Spice-devel] wss forced on spice.html

Frediano Ziglio fziglio at redhat.com
Fri Feb 10 14:47:29 UTC 2017 

> 
> Hi Cory,
> 
> 
> On 01/29/2017 04:38 PM, Cory Schwartz wrote:
> > Hi,
> > 
> > I noticed on the example page
> > https://www.spice-space.org/spice-html5/spice.html
> > that you are unable to connect to a websocket where SSL is not
> > implemented. The reason for this is that the original site redirects
> > to https and the websocet is ws:// not wss://. One is greeted with an
> > error which states the operation is insecure and it does not attempt
> > the connection. I haven't tested whether this is true of all web
> > browsers, I think given this is just an example page it's reasonable
> > in this case to permit HTTP and HTTPS so develpers are not required to
> > add SSL to the projects they are developing at early stages.
> 

The page was updated by Pavel connecting using wss:// instead of ws://

> I've just tried this page in Firefox, and I see the error you are
> getting.  Arguably, the right solution is to mirror the logic in
> spice_auto.html and make the connection be wss:// in this case, not ws://.
> 
> With that said, the example page is really not intended as anything more
> than a taste, and the spice.html file itself is meant as a starting
> template.  You should feel free to download and host it yourself and
> tweak it to your hearts content.
> 
> I don't host spice-space.org, but I think the web as a whole is moving
> towards https, not away, so I suspect you'd find strong, and
> justifiable, resistance to hosting this page as http://.
> 
> I'll see about getting a patch to auto select wss://, along with a
> corresponding note that folks will need to have a websockify running
> with ssl support, to the template page.
> 
> Cheers,
> 
> Jeremy
> 
> > 
> > I am sure there is legitimate disagreement to this position,
> > especially now that encryption keys are cheaper and more prevalent
> > than ever, but this is a testing page so tests should be reducible to
> > the simplest possible level.
> > Perhaps a message could be included if you are not using HTTPS that
> > all traffic is not encrypted and susceptible to interception from
> > attacks, but users can use at their own risk.
> > In fact, I would see this a greater testing page if http and https
> > could be selected and tested independently.

Frediano

More information about the Spice-devel mailing list