f:websocket problems in mixed secure/unsecure environment (ssl proxy with unsecure server) #4413
Description
I have following setup at a customer site: I have a website using primefaces 7.0 and JSF 2.3
The browser is communicating via https with some proxy, but proxy is communicating via unsecure http with the actual application server (wildfly 18, JSF 2.3.9-SP04 )
Since the server is assuming an unsecure connection it generates a ws:// url at startup for the websocket code ( in com.sun.faces.context.ExternalContextImpl.encodeWebsocketURL(String) )
based whether the request was unsecure (http) or secure (https) by simple replace operation:
websocketURL.replaceFirst("http", "ws") - http becomes ws and https becomes wss.
Since the web site was invoked with https:// the unsecure ws:// in combination with the https:// leads to security issues in the web browser:
"Mixed Content: The page at 'https://somepage/site/blabla.jsf' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://somepage/site/javax.faces.push/SomeChannel?someid' This request has been blocked; this endpoint must be available over WSS."
Solution: Decide and generate the WebSocket URL on the the client (javascript code in jsf.js) whether to use ws:// or wss://
This will make it more robust in mixed secure/unsecure environments
I think it was already started there because there is a line
var URL_PROTOCOL = window.location.protocol.replace("http", "ws") + "//";
in jsf.js, but URL_PROTOCOL is used nowhere.