Prevent mixed content warnings for TLS sites embedding ipfs URIs

[the8472]

Adding nsiProtocolHandler.URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT to the handlers should allow the URI schemes to be used to load subresources into secure contexts.

Public gateways use TLS anyway and thus can already be embedded as 3rd party content. Private gateways hopefully are under control of the user / in a trusted network.

[lidel]

I am okay with adding the flag: content-addressing provides better protection against MITM than TLS anyway (as long as user controls the gateway).

We probably need to add a new section to SECURITY.md and explicitly advise people against use of custom gateways outside of their control.

I am worried we don't see all security implications. Perhaps we should add this as a separate preference (disabled by default):
"Allow resources from HTTP Gateway to be loaded in HTTPS contexts"

[Kubuxu]

It would be great to have this, currently for example https://ipfs.pics doesn't work on the redirect, one has to use http version which is much much worst.

Also FF people are considering making all localhost as trusted content, only opposition are those who want to block browser off localhost completely. https://bugzilla.mozilla.org/show_bug.cgi?id=903966

[lidel]

@Kubuxu

https://ipfs.pics doesn't work on the redirect

I tried to replicate, but https://ipfs.pics/QmR48aP79GaXfs5rh469kAJw9wDLA5yYrcgsL5gyuQjmBe loads http://127.0.0.1:8080/ipfs/QmR48aP79GaXfs5rh469kAJw9wDLA5yYrcgsL5gyuQjmBe just fine, the only drawback is mixed-content warning:

Am I missing something?

[Kubuxu]

Hmm, I thought it was blocking the mixed content completely but it looks like it works now.

Sorry for that.

[lidel]

Update via Bug 903966 - Don't block mixed content from localhost:

According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:

• w3c/webappsec-mixed-content@349501c
• https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and
later. See:

• https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

[lidel]

I just confirmed that there is no "mixed content" warning under Firefox 56 when using local (127.0.0.1) gateway.

[ivan386]

I install stunnel on 8443 port and make certificate for 127.0.0.1 and other domains. Root certificate (rootcert.pem or rootcert.crt) need to be added to trusted certificate repository. Then site can detect by JavaScript that local gateway available on 8443 port and switch to it.