From m.b.taylor at bristol.ac.uk Mon Oct 5 16:54:11 2020 From: m.b.taylor at bristol.ac.uk (Mark Taylor) Date: Mon, 5 Oct 2020 15:54:11 +0100 (BST) Subject: SAMP from HTTPS is (sometimes) working In-Reply-To: References: Message-ID: Dear apps-samp, this is a belated follow-up to my posting about HTTPS and SAMP; in summary, although a few years ago it looked hopelessly broken, it now works without any special measures on some brower/OS platforms but not others. As browsers are evolving, that position seems to be improving. In a posting last year I asked if volunteers could try it out on their browsers and record what does and doesn't work. Then we can figure out whether browser coverage is good enough to bring SAMP+HTTPS back from the grave. I provided a link to try it out with, but it was broken for reasons connected with firewalls, and I said I'd repost here when I'd sorted it out. Following a very long fight with my IT department, I've worked around local restrictions. Bottom line: I've fixed it so you can test very easily whether your browser (or, even better, browsers) works with HTTPS+SAMP, just follow the instructions at this wiki page: https://wiki.ivoa.net/twiki/bin/view/IVOA/WebSampHttps If you have an idle minute or two, please have a go and record your results! Thanks Mark On Fri, 15 Nov 2019, Mark Taylor wrote: > Post Script: the HTTPS server at > https://andromeda.star.bristol.ac.uk/sampjs/ > that I invited people to try is currently not available > because of a firewall I didn't realise was there. > I'm trying to get this lifted, I will post back here with updates. > > Sorry for the inconvenience, > > Mark > > On Tue, 12 Nov 2019, Mark Taylor wrote: > > > Hi all, > > > > further developments on this long story. This posting is rather > > technical, but it does represent progress. > > > > Felix Stoehr recently reported to me that Web SAMP over HTTPS actually > > works out of the box, with no browser extensions, for Google Chrome. > > I tested it out, and he's right: using Chromium v78 (on Ubuntu 18.04) > > SAMP connections from HTTPS-hosted web pages work perfectly. > > You can try it yourself using the working examples listed in the > > "Examples" section of https://andromeda.star.bristol.ac.uk/sampjs/. > > > > I was, to put it mildly, surprised by this: it means that the > > insurmountable problem I've been bleating about for the last few > > years (see http://andromeda.star.bristol.ac.uk/websamp/) > > just doesn't exist, at least for some browsers, moreover rather > > recent ones. What's going on? > > > > It turns out that the relevant standards have changed since I last > > read them in detail. XMLHttpRequest accesses to localhost http > > services (the hub) from an https context (a Web SAMP client) > > is blocked as Mixed Active Content according to the W3C Mixed Content > > document https://www.w3.org/TR/2015/CR-mixed-content-20151008/, > > and that's what I based my analysis of the problem on in my > > presentations in Sydney and Cape Town > > (http://wiki.ivoa.net/internal/IVOA/InteropOct2015Applications/samp-https.pdf, > > http://wiki.ivoa.net/internal/IVOA/InterOpMay2016-GWS/tlsamp.pdf). > > However, a more recent version of the Mixed Content document > > (https://www.w3.org/TR/2016/CR-mixed-content-20160802/) > > has updated the definition of an "a priori authenticated URL" to > > include "Potentially Trustworthy" URLs. This in turn via the > > W3C Secure Contexts document (https://www.w3.org/TR/secure-contexts) > > means that any URL whose host is the loopback address > > (127.0.0.1 for IPv4 or ::1 for IPv6) does not count as mixed content. > > The latest unpublished draft of the Secure Contexts document > > (https://w3c.github.io/webappsec-secure-contexts/, 15 March 2019) > > extends this in some cases to use of the hostname "localhost" as well > > as the numeric loopback addresses. > > > > That means that under current W3C recommendations, HTTPS web pages > > should be able to contact the SAMP hub at http://127.0.0.1:21012/, > > and maybe http://localhost:21012/, and thereby use Web SAMP as normal, > > without having to jump through any other hoops. > > > > This is great news, since in principle it means we can forget all about > > the weird and ugly solutions I was talking about recently in Groningen, > > as well as browser extensions. But it does rely on the browsers people > > are using actually implementing the current W3C recommendations. > > Do they? > > > > As reported above, it looks like Chromium/Chrome does do this, > > apparently since version 53 (2016); see e.g. > > e.g. https://chromium.googlesource.com/chromium/src.git/+/130ee686f > > At least in v79 it works for "localhost" as well as "127.0.0.1". > > > > My reading about Firefox suggests that it *ought* to work since > > version 55 (2017), but it doesn't work for me on version 59 or 70. > > The FF mixed content notes at > > https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content > > say this: > > > > Note: Since Firefox 55, the loading of mixed content is allowed on > > http://127.0.0.1/ (see bug 903966). Chrome allows mixed content on > > http://127.0.0.1/ and http://localhost/. Safari does not allow any > > mixed content. > > > > The discussion at https://bugzilla.mozilla.org/show_bug.cgi?id=903966 > > suggests that maybe this works only for GET but not POST, which > > (via XMLHttpRequest) is what SAMP requires, but it's not very clear. > > Trying to use SAMP from HTTPS on firefox v70 tells me: > > > > "Cross-Origin Request Blocked: The Same Origin Policy disallows > > reading the remote resource at http://127.0.0.1:21012/. > > (Reason: CORS request did not succeed). > > https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed > > > > I don't think the problem is to do with CORS though, since there doesn't > > appear to be any network activity associated with this error. > > If anybody can get to the bottom of this firefox issue I'd really like > > to hear. > > > > What now? > > > > Given the above, it looks like just sitting back and waiting might fix > > this problem. If Chrome is implementing the Web-SAMP-over-HTTPS-enabling > > changes today, then other browsers may follow suit in future > > (Firefox is apparently part-way there). > > In the mean time, browser extensions like the one that Sonia has > > developed for those browsers that don't yet allow this are a good > > sticking plaster, but hopefully won't be a long-term maintenance burden. > > > > I don't think any changes to the SAMP standard are required > > (except possibly an erratum to recommend using the loopback address > > rather than "localhost" in the well-known Web Profile Hub URL at > > sec 5.2.3 and 5.3). > > Some minor changes to software could be useful though: > > > > - samp.js should probably change to contact the hub at the > > numeric loopback address rather than localhost. > > See https://github.com/astrojs/sampjs/issues/7. > > > > - The JSAMP hub with the minor Origin-checking changes required > > to get Sonia's extension working > > (http://mail.ivoa.net/pipermail/apps-samp/2019-November/001018.html) > > should be released and incorporated into future Hub-containing > > applications (topcat, aladin, ...). I'll make a new JSAMP release > > some time soon. > > > > - It would be nice to have some boilerplate that HTTPS-Web SAMP > > pages can incorporate giving user instructions: > > check current browser and advise on necessary action if any, > > e.g. upgrade browser version or install browser extension. > > > > Plus, reports about whether other browsers (IE?) are able to do > > Web SAMP from HTTPS (e.g. does > > https://andromeda.star.bristol.ac.uk/sampjs/examples/sendlist.html > > successfully send a table to e.g. topcat?) would be very useful. > > > > Mark > > > > -- > > Mark Taylor Astronomical Programmer Physics, Bristol University, UK > > m.b.taylor at bris.ac.uk +44-117-9288776 http://www.star.bris.ac.uk/~mbt/ > > > > -- > Mark Taylor Astronomical Programmer Physics, Bristol University, UK > m.b.taylor at bris.ac.uk +44-117-9288776 http://www.star.bris.ac.uk/~mbt/ > -- Mark Taylor Astronomical Programmer Physics, Bristol University, UK m.b.taylor at bris.ac.uk +44-117-9288776 http://www.star.bris.ac.uk/~mbt/