Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Websocket Connection blocked when serving over HTTPS #195

Closed
sebastianhaeni opened this issue Jul 5, 2018 · 4 comments
Closed

Websocket Connection blocked when serving over HTTPS #195

sebastianhaeni opened this issue Jul 5, 2018 · 4 comments
Labels
flag: Has pull request severity: 5 (confusing) Status: Ready for PR

Comments

@sebastianhaeni
Copy link
Contributor

The opened WebSocket connection is always ws:. If the file is served via HTTPS, this should be wss: or else the browser will block the connection.

Message from Chrome:

bundle-report.html:formatted:967 Mixed Content: The page at 'https://foo.bar/bundle-report.html'
was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://foo.
bar/'. This request has been blocked; this endpoint must be available over WSS.

The culprit is here, probably:

webpack-bundle-analyzer/client/viewer.jsx

Line 11 in 2c05555

ws = new WebSocket(`ws://${location.host}`);

@valscion
Copy link
Member

valscion commented Jul 6, 2018

You're right about that. Do you have an idea of how complicated it would be to support secure web sockets from the node server side?

Or, as the connection likely won't succeed anyway as you're not probably running a watcher when serving over HTTPS, should we just not try opening the websocket connection in the first place is page is served over HTTPS?

@sebastianhaeni
Copy link
Contributor Author

I don't know much about Secure WebSocket in Node.

My case would be solved if I could either

  • disable web sockets in the options
  • or WebSockets are disabled by default on HTTPS

As a side note, why an option to disable it would be good:
We are serving the bundle report on a server which also has a Content Security Policy header. So, just for the bundle report, I had to add another CSP directive to allow WebSocket connections otherwise it would be reported to our CSP Reporting Service. So if it could be disabled in the options, that would be very helpful. Or maybe it could even be disabled by default in static-mode?

@brandondoran
Copy link

I just run into the same problem in Jenkins. I'm using webpack-bundle-analyzer in static mode and publishing the report.html using he Jenkins publishHtml plugins. I agree that disabling websockets in static mode, makes a lot of sense. The report displays (after relaxing Jenkins CSP settings) but would be nice to silence the error.

@valscion
Copy link
Member

If either one of you feels like taking a stab at this, we'd be happy to review a PR ☺️

@sebastianhaeni sebastianhaeni mentioned this issue Oct 16, 2018
Merged
@th0r th0r closed this as completed in #215 Oct 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
flag: Has pull request severity: 5 (confusing) Status: Ready for PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@valscion @sebastianhaeni @brandondoran