[Spice-devel] wss forced on spice.html

Pavel Grunt pgrunt at redhat.com
Fri Feb 10 15:20:44 UTC 2017 

On Fri, 2017-02-10 at 09:47 -0500, Frediano Ziglio wrote:
> > 
> > Hi Cory,
> > 
> > 
> > On 01/29/2017 04:38 PM, Cory Schwartz wrote:
> > > Hi,
> > > 
> > > I noticed on the example page
> > > https://www.spice-space.org/spice-html5/spice.html
> > > that you are unable to connect to a websocket where SSL is not
> > > implemented. The reason for this is that the original site
> > > redirects
> > > to https and the websocet is ws:// not wss://. One is greeted
> > > with an
> > > error which states the operation is insecure and it does not
> > > attempt
> > > the connection. I haven't tested whether this is true of all web
> > > browsers, I think given this is just an example page it's
> > > reasonable
> > > in this case to permit HTTP and HTTPS so develpers are not
> > > required to
> > > add SSL to the projects they are developing at early stages.
> 
> The page was updated by Pavel connecting using wss:// instead of
> ws://
> 
yeah, it was.

anyway I would recommend to follow
 https://www.spice-space.org/spice-html5.html
and use it locally - www.spice-space.org/spice-html5/spice.html is an
artifact from the old page and it is pretty outdated

I also opened https://gitlab.com/spice/spice-space/issues/1 for
integrating spice-html5 into the website (to use the same style as
other pages etc.) We can probably do it with a submodule which would
be updated automatically. I don't plan to enable http://

Thanks for comments, suggestions (and patches :))

Pavel

> > I've just tried this page in Firefox, and I see the error you are
> > getting.  Arguably, the right solution is to mirror the logic in
> > spice_auto.html and make the connection be wss:// in this case,
> > not ws://.
> > 
> > With that said, the example page is really not intended as
> > anything more
> > than a taste, and the spice.html file itself is meant as a
> > starting
> > template.  You should feel free to download and host it yourself
> > and
> > tweak it to your hearts content.
> > 
> > I don't host spice-space.org, but I think the web as a whole is
> > moving
> > towards https, not away, so I suspect you'd find strong, and
> > justifiable, resistance to hosting this page as http://.
> > 
> > I'll see about getting a patch to auto select wss://, along with a
> > corresponding note that folks will need to have a websockify
> > running
> > with ssl support, to the template page.
> > 
> > Cheers,
> > 
> > Jeremy
> > 
> > > 
> > > I am sure there is legitimate disagreement to this position,
> > > especially now that encryption keys are cheaper and more
> > > prevalent
> > > than ever, but this is a testing page so tests should be
> > > reducible to
> > > the simplest possible level.
> > > Perhaps a message could be included if you are not using HTTPS
> > > that
> > > all traffic is not encrypted and susceptible to interception
> > > from
> > > attacks, but users can use at their own risk.
> > > In fact, I would see this a greater testing page if http and
> > > https
> > > could be selected and tested independently.
> 
> Frediano
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel

More information about the Spice-devel mailing list