Last active
November 27, 2017 22:47
-
-
Save onpaws/f612821fcfc3019d3d91beee8e24282e to your computer and use it in GitHub Desktop.
Go to any https page and paste this into the JavaScript console
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Secure | |
const wss = new WebSocket('wss://demos.kaazing.com/echo') | |
wss.onmessage = (msg) => console.log(msg) | |
setTimeout(() => wss.send('ping'), 1000) | |
# Standard | |
const ws = new WebSocket('ws://demos.kaazing.com/echo') | |
ws.onmessage = (msg) => console.log(msg) | |
setTimeout(() => ws.send('insecure ping'), 1000) | |
// On Chrome Version 64.0.3274.0, from pages served via https, the `wss` object connects. | |
// However, the `ws` object only connects to pages served via 'plaintext' `http`. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I experimented a bit more and just encountered a host that does, in fact, blocked cross origin WS/WSS: github.com.
This is because Chrome honors the standard
Content-Security-Policy
HTTP header, which github.com sets.VM55:1 Refused to connect to 'wss://demos.kaazing.com/echo' because it violates the following Content Security Policy directive: "connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com".
You can verify by looking at Chrome->DevTools->Network tab->Click first HTTP request->look at Response headers