Why not use https in the url example with passwords?

[sirkkalap]

Hi,

Would it make sense to use HTTPS when passing passwords in the url?

-Pete

[sirkkalap]

And it seems that the HTTPS is not ok there.

Maybe a warning then?

Password will be blindly broadcast in plain text, is it not?

[t2t2]

Since obs-websocket doesn't support https/wss (obsproject/obs-websocket#26), loading the site over https will block the ws connection in most browsers since it's mixed content. Hence the warning when it is being loaded over https

I don't think the hash part of the URL gets sent to the server (when loading the page) so I think that part is fine, ofc MITM threat still is gonna exist. The connecting itself doesn't broadcast the password but a one-time hash.

Probably worth extra warning somewhere in UI about password security 🤷‍♂️