Hacker News new | past | comments | ask | show | jobs | submit login

As discussed in crbug.com/378566, Chrome currently allows connecting to unsafe WebSockets on localhost. So just use a WebSocket to communicate from your HTTPS hosted page to your local server.

And yes, you definitely should whitelist access based on the origin header.




There's also "CORS and RFC1918"[1], which IMO would be a great way to stop apps from unintentionally exposing themselves to the open web.

[1]: https://wicg.github.io/cors-rfc1918/#headers


I tried this and Chrome complains about mixed mode and forces you to allow this behaviour and then to reload the page before you can get it working. If that's acceptable, then sure, but for actual use it's not really any good.


Did you connect to ws://localhost:<port>/?

As mentioned in the bug above, this approach is currently recommended by Chrome and in use by a number of large applications/sites.

It's completely transparent and is being used in production today.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: