Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebREPL doesn't work over HTTPS, should issue warning. #15

Open
skorokithakis opened this issue Sep 6, 2016 · 6 comments
Open

WebREPL doesn't work over HTTPS, should issue warning. #15

skorokithakis opened this issue Sep 6, 2016 · 6 comments

Comments

@skorokithakis
Copy link

Due to security constraints, the WebREPL won't work when served over HTTPS. There should be a message if it's loaded over HTTPS that says something like "please access the WebREPL over HTTP or download it and open it as a local file".

@dpgeorge
Copy link
Member

dpgeorge commented Sep 7, 2016

Where do you access it using HTTPS? And in what way does in not work (it must already be giving you a warning)?

@skorokithakis
Copy link
Author

I was accessing it on https://micropython.org/webrepl/, as well as my own site (which is HTTPS-only). Whenever I tried to connect, the entire page would just reload, without any warning at all. I only realized what was happening when I looked at the Chrome console (after preserving the log, because the messages were getting deleted) and saw the warnings there.

One nice improvement would be to use local storage to store the IP address, because it's very annoying to have to retype it every time. I can open a separate issue for that.

@pfalcon
Copy link
Contributor

pfalcon commented Sep 18, 2016

So far, I've added a warning about this condition to README: acf6666 . While possibly not helpful, this is definitely a lack of useful and user-friendly handling of the issue on browser side. While an idea to patch this in each and every WebSocket application is tempting, the real improvement can happen only on browsers' side.

One nice improvement would be to use local storage to store the IP address, because it's very annoying to have to retype it every time.

I and other people don't experience this issue, because there's a browser autocompletion for that field. (So may be another browser issue.)

@skorokithakis
Copy link
Author

@pfalcon Yeah, exactly, there was no user-visible warning for me, just the console one, which I noticed by accident.

I don't know why my browser doesn't autocomplete the field, unfortunately. I'm just using the latest Chrome.

@dpgeorge
Copy link
Member

Autocomplete (giving a drop-down of previously used addresses) works for me in a recent version of Firefox.

@derekenos
Copy link

It doesn't look like the changes introduced by #19 are live at https://micropython.org/webrepl/

Comparing https://micropython.org/webrepl/ to the current repo's version of webrepl.html:

$ curl -s https://micropython.org/webrepl/ > live_https_webrepl.html; \
> curl -s https://raw.githubusercontent.com/micropython/webrepl/4cb755698470b9160bdb0a58d5ff54176cfc1abb/webrepl.html > repo_webrepl.html; \
> diff live_https_webrepl.html repo_webrepl.html
108a109
>       show_https_warning();
115a117,130
> function show_https_warning() {
>     if (window.location.protocol == 'https:') {
>         var warningDiv = document.createElement('div');
>         warningDiv.style.cssText = 'background:#f99;padding:5px;margin-bottom:10px;line-height:1.5em;text-align:center';
>         warningDiv.innerHTML = [
>             'At this time, the WebREPL client cannot be accessed over HTTPS connections.',
>             'Use a HTTP connection, eg. <a href="http://micropython.org/webrepl/">http://micropython.org/webrepl/</a>.',
>             'Alternatively, download the files from <a href="https://github.com/micropython/webrepl">GitHub</a> and run them locally.'
>         ].join('<br>');
>         document.body.insertBefore(warningDiv, document.body.childNodes[0]);
>         term.resize(term.cols, term.rows - 7);
>     }
> }
> 
239a255
>         term.off('data');
336a353,356
> 
> document.getElementById('put-file-select').addEventListener('click', function(){
>     this.value = null;
> }, false);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants