Reason to enable `network.websocket.allowInsecureFromHTTPS` in Firefox (and security implications)

[501st-alpha1]

Why do I need to enable network.websocket.allowInsecureFromHTTPS in Firefox?

I was going through the Firefox Linux guide to make sure one of my devices was set up correctly, when I came across this step:

3. Next, search for network.websocket.allowInsecureFromHTTPS and set the value to true:

There isn't any explanation there, and I managed to find the PR which added this step, but I don't see an explanation there either.

Based on some brief web searching, my understanding is this setting allows connections from insecure websockets (i.e. ws:// instead of wss://) created on otherwise secure web pages (HTTPS). Once I got my Root CA cert set up, I've always connected to my Embassy over HTTPS (whether to .local or .onion), so that part makes sense, but are there certain Start9 services that are creating insecure websockets for some reason? If so, wouldn't any data passed over such websockets be exposed to anyone watching the network traffic? (Not a huge risk over local/Tor networks, but I'm still not excited about the idea.)

What's worse is this appears to be a global setting, so it would apply to any websites I visit, not just my Start9 services. Thus if my understanding of this is correct, I'd prefer to find workarounds for any Start9 services that need it (e.g. maybe I just don't use Firefox for that service), rather than enabling this setting globally.

Please let me know if I'm misunderstanding anything here.

[501st-alpha1]

Ah, I just found #323 (it wasn't showing up in my initial search for some reason), which mentions doing this for Nostr. This does make sense, because users may connect to some Nostr relays over plain ws:// (though I think most of mine are wss:// anyway).

My thoughts above still stand, so unless there is some other major reason this is needed, would it be better to note this in the docs as optional and only needed for some services?

[k0gen]

Thank you for reaching out and expressing your concerns regarding the network.websocket.allowInsecureFromHTTPS setting in Firefox. I appreciate your thoroughness in seeking clarification, and I'm here to address your points.

Its implementation was driven by the need to support Nostr and specific relay connections over plain ws://.

It's worth noting that through Tor, all traffic is encrypted regardless of this setting, so the security implications might not be as critical in that context. While enabling this setting has no impact on Tor traffic, we understand your valid point about security for non-Tor connections.

Rest assured, we're actively working on a solution to eliminate this dependency and uphold security standards.