<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<span>Hi All, <br>
</span>
<div><br>
</div>
<div>we would like to share with you our SAMP over HTTPS current implementation and latest tests.<br>
</div>
<div><br>
</div>
<div>Here at SSDC (ASI) we use the TOPCAT Experimental kindly provided by Mark Taylor, which includes an internal TLS HUB that connects to a relay server where a servlet (also by Mark Taylor) receives and dispatches SAMP messages with our https web pages and
TOPCAT itself.<br>
</div>
<div>In our inital deployment we relied on the Java Web Start framework to run TOPCAT and manage/enable the https interactions between the TOPCAT JVM and the relay server (tomcat).<br>
</div>
<div>We recently noted that the JVM (with Java >= SE8) is able to manage the above https interactions without the Java Web Start framework, so we are changing our web pages accordingly.
<br>
</div>
<div><br>
</div>
<span>We have also tested the browser extension provided by Sonia Zorba for Chrome and Firefox and we confirm that it works as expected.</span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
We will continue to use our current solution, without JWS, eventually revising it when W3C recommendations on<br>
mixed-content will be consistently implemented.<br>
</div>
<div id="Signature">
<div id="divtagdefaultwrapper" style="font-size:12pt;
color:#000000; background-color:#ffffff;
font-family:Calibri,Arial,Helvetica,sans-serif">
<p style="margin-top: 0px; margin-bottom: 0px;"><br>
Daniele Navarra,<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;">Francesco Verrecchia</p>
<p style="margin-top: 0px; margin-bottom: 0px;">and Cristina Leto<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;">--</p>
<p style="margin-top: 0px; margin-bottom: 0px;">ASI, Space Science Data Center<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;">Rome, Italy<br>
</p>
<a class="moz-txt-link-abbreviated" href="http://www.ssdc.asi.it">www.ssdc.asi.it</a><br>
</div>
</div>
<br>
<div class="moz-cite-prefix">On 11/15/2019 05:36 PM, Mark Taylor wrote:<br>
</div>
<blockquote type="cite" cite="mid:alpine.DEB.2.21.1911151634530.7585@IT076926">
<pre wrap="">Post Script: the HTTPS server at
<a class="moz-txt-link-freetext" href="https://andromeda.star.bristol.ac.uk/sampjs/">https://andromeda.star.bristol.ac.uk/sampjs/</a>
that I invited people to try is currently not available
because of a firewall I didn't realise was there.
I'm trying to get this lifted, I will post back here with updates.
Sorry for the inconvenience,
Mark
On Tue, 12 Nov 2019, Mark Taylor wrote:
</pre>
<blockquote type="cite">
<pre wrap="">><i> Hi all,
</i>><i>
</i>><i> further developments on this long story. This posting is rather
</i>><i> technical, but it does represent progress.
</i>><i>
</i>><i> Felix Stoehr recently reported to me that Web SAMP over HTTPS actually
</i>><i> works out of the box, with no browser extensions, for Google Chrome.
</i>><i> I tested it out, and he's right: using Chromium v78 (on Ubuntu 18.04)
</i>><i> SAMP connections from HTTPS-hosted web pages work perfectly.
</i>><i> You can try it yourself using the working examples listed in the
</i>><i> "Examples" section of <a href="https://andromeda.star.bristol.ac.uk/sampjs/">https://andromeda.star.bristol.ac.uk/sampjs/.</a>
</i>><i>
</i>><i> I was, to put it mildly, surprised by this: it means that the
</i>><i> insurmountable problem I've been bleating about for the last few
</i>><i> years (see <a href="http://andromeda.star.bristol.ac.uk/websamp/">http://andromeda.star.bristol.ac.uk/websamp/</a>)
</i>><i> just doesn't exist, at least for some browsers, moreover rather
</i>><i> recent ones. What's going on?
</i>><i>
</i>><i> It turns out that the relevant standards have changed since I last
</i>><i> read them in detail. XMLHttpRequest accesses to localhost http
</i>><i> services (the hub) from an https context (a Web SAMP client)
</i>><i> is blocked as Mixed Active Content according to the W3C Mixed Content
</i>><i> document <a href="https://www.w3.org/TR/2015/CR-mixed-content-20151008/,">https://www.w3.org/TR/2015/CR-mixed-content-20151008/,</a>
</i>><i> and that's what I based my analysis of the problem on in my
</i>><i> presentations in Sydney and Cape Town
</i>><i> (<a href="http://wiki.ivoa.net/internal/IVOA/InteropOct2015Applications/samp-https.pdf,">http://wiki.ivoa.net/internal/IVOA/InteropOct2015Applications/samp-https.pdf,</a>
</i>><i> <a href="http://wiki.ivoa.net/internal/IVOA/InterOpMay2016-GWS/tlsamp.pdf">http://wiki.ivoa.net/internal/IVOA/InterOpMay2016-GWS/tlsamp.pdf</a>).
</i>><i> However, a more recent version of the Mixed Content document
</i>><i> (<a href="https://www.w3.org/TR/2016/CR-mixed-content-20160802/">https://www.w3.org/TR/2016/CR-mixed-content-20160802/</a>)
</i>><i> has updated the definition of an "a priori authenticated URL" to
</i>><i> include "Potentially Trustworthy" URLs. This in turn via the
</i>><i> W3C Secure Contexts document (<a href="https://www.w3.org/TR/secure-contexts">https://www.w3.org/TR/secure-contexts</a>)
</i>><i> means that any URL whose host is the loopback address
</i>><i> (127.0.0.1 for IPv4 or ::1 for IPv6) does not count as mixed content.
</i>><i> The latest unpublished draft of the Secure Contexts document
</i>><i> (<a href="https://w3c.github.io/webappsec-secure-contexts/,">https://w3c.github.io/webappsec-secure-contexts/,</a> 15 March 2019)
</i>><i> extends this in some cases to use of the hostname "localhost" as well
</i>><i> as the numeric loopback addresses.
</i>><i>
</i>><i> That means that under current W3C recommendations, HTTPS web pages
</i>><i> should be able to contact the SAMP hub at <a href="http://127.0.0.1:21012/,">http://127.0.0.1:21012/,</a>
</i>><i> and maybe <a href="http://localhost:21012/,">http://localhost:21012/,</a> and thereby use Web SAMP as normal,
</i>><i> without having to jump through any other hoops.
</i>><i>
</i>><i> This is great news, since in principle it means we can forget all about
</i>><i> the weird and ugly solutions I was talking about recently in Groningen,
</i>><i> as well as browser extensions. But it does rely on the browsers people
</i>><i> are using actually implementing the current W3C recommendations.
</i>><i> Do they?
</i>><i>
</i>><i> As reported above, it looks like Chromium/Chrome does do this,
</i>><i> apparently since version 53 (2016); see e.g.
</i>><i> e.g. <a href="https://chromium.googlesource.com/chromium/src.git/+/130ee686f">https://chromium.googlesource.com/chromium/src.git/+/130ee686f</a>
</i>><i> At least in v79 it works for "localhost" as well as "127.0.0.1".
</i>><i>
</i>><i> My reading about Firefox suggests that it *ought* to work since
</i>><i> version 55 (2017), but it doesn't work for me on version 59 or 70.
</i>><i> The FF mixed content notes at
</i>><i> <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content">https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content</a>
</i>><i> say this:
</i>><i>
</i>><i> Note: Since Firefox 55, the loading of mixed content is allowed on
</i>><i> <a href="http://127.0.0.1/">http://127.0.0.1/</a> (see bug 903966). Chrome allows mixed content on
</i>><i> <a href="http://127.0.0.1/">http://127.0.0.1/</a> and <a href="http://localhost/">http://localhost/.</a> Safari does not allow any
</i>><i> mixed content.
</i>><i>
</i>><i> The discussion at <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=903966">https://bugzilla.mozilla.org/show_bug.cgi?id=903966</a>
</i>><i> suggests that maybe this works only for GET but not POST, which
</i>><i> (via XMLHttpRequest) is what SAMP requires, but it's not very clear.
</i>><i> Trying to use SAMP from HTTPS on firefox v70 tells me:
</i>><i>
</i>><i> "Cross-Origin Request Blocked: The Same Origin Policy disallows
</i>><i> reading the remote resource at <a href="http://127.0.0.1:21012/">http://127.0.0.1:21012/.</a>
</i>><i> (Reason: CORS request did not succeed).
</i>><i> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed">https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed</a>
</i>><i>
</i>><i> I don't think the problem is to do with CORS though, since there doesn't
</i>><i> appear to be any network activity associated with this error.
</i>><i> If anybody can get to the bottom of this firefox issue I'd really like
</i>><i> to hear.
</i>><i>
</i>><i> What now?
</i>><i>
</i>><i> Given the above, it looks like just sitting back and waiting might fix
</i>><i> this problem. If Chrome is implementing the Web-SAMP-over-HTTPS-enabling
</i>><i> changes today, then other browsers may follow suit in future
</i>><i> (Firefox is apparently part-way there).
</i>><i> In the mean time, browser extensions like the one that Sonia has
</i>><i> developed for those browsers that don't yet allow this are a good
</i>><i> sticking plaster, but hopefully won't be a long-term maintenance burden.
</i>><i>
</i>><i> I don't think any changes to the SAMP standard are required
</i>><i> (except possibly an erratum to recommend using the loopback address
</i>><i> rather than "localhost" in the well-known Web Profile Hub URL at
</i>><i> sec 5.2.3 and 5.3).
</i>><i> Some minor changes to software could be useful though:
</i>><i>
</i>><i> - samp.js should probably change to contact the hub at the
</i>><i> numeric loopback address rather than localhost.
</i>><i> See <a href="https://github.com/astrojs/sampjs/issues/7.">https://github.com/astrojs/sampjs/issues/7.</a>
</i>><i>
</i>><i> - The JSAMP hub with the minor Origin-checking changes required
</i>><i> to get Sonia's extension working
</i>><i> (<a href="http://mail.ivoa.net/pipermail/apps-samp/2019-November/001018.html">http://mail.ivoa.net/pipermail/apps-samp/2019-November/001018.html</a>)
</i>><i> should be released and incorporated into future Hub-containing
</i>><i> applications (topcat, aladin, ...). I'll make a new JSAMP release
</i>><i> some time soon.
</i>><i>
</i>><i> - It would be nice to have some boilerplate that HTTPS-Web SAMP
</i>><i> pages can incorporate giving user instructions:
</i>><i> check current browser and advise on necessary action if any,
</i>><i> e.g. upgrade browser version or install browser extension.
</i>><i>
</i>><i> Plus, reports about whether other browsers (IE?) are able to do
</i>><i> Web SAMP from HTTPS (e.g. does
</i>><i> <a href="https://andromeda.star.bristol.ac.uk/sampjs/examples/sendlist.html">https://andromeda.star.bristol.ac.uk/sampjs/examples/sendlist.html</a>
</i>><i> successfully send a table to e.g. topcat?) would be very useful.
</i>><i>
</i>><i> Mark
</i>><i>
</i>><i> --
</i>><i> Mark Taylor Astronomical Programmer Physics, Bristol University, UK
</i>><i> <a href="http://mail.ivoa.net/mailman/listinfo/apps-samp">m.b.taylor at bris.ac.uk</a> +44-117-9288776 <a href="http://www.star.bris.ac.uk/%7Embt/">http://www.star.bris.ac.uk/~mbt/</a>
</i>><i>
</i>
--
Mark Taylor Astronomical Programmer Physics, Bristol University, UK
<a href="http://mail.ivoa.net/mailman/listinfo/apps-samp">m.b.taylor at bris.ac.uk</a> +44-117-9288776 <a href="http://www.star.bris.ac.uk/%7Embt/">http://www.star.bris.ac.uk/~mbt/</a>
</pre>
<hr>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
</body>
</html>