nw.js icon indicating copy to clipboard operation
nw.js copied to clipboard
verified publisher icon nwjs

HTTPS is forced if available instead of using HTTP

Open d3x0r opened this issue 2 years ago • 9 comments

  • [X] Bug Report

  • [ ] Feature Request

  • [X] Successfully reproduced against the latest version of NW.js?

Current Behavior

Using an SDK version of NWJS to be able to open devtools and check requests...

package.json

{ "name": "profile1", "main": "main.js" }

main.js

// this site doesn't redirect to https, and is the original to test with.
//nw.Window.open( "http://sp.d3x0r.org/ballcaller/dist", {}, (window)=>window.showDevTools() )
nw.Window.open( "http://www.github.com/nwjs/nw.js", {}, (window)=>window.showDevTools() )

Save both files in a directory and start NJWS with nw . (the '.' is needed, otherwise a default window opens).

In order to see the behavior (since devtools doesn't open until some time after the site loads, and github redirects to HTTPS anyway), in devtools' console type location.href="http://www.github.com/nwjs/nw.js" (ctrl-R reloads the HTTPS version and doesn't work to demonstrate). Check the first request under the network tab, the Headers tab 'General' section Request URL indicates 'https://www.github.com/nwjs/nw.js' and not the specified http://... address.

In versions 0.76.1 and before (I tested several versions 0.60,0.70, 0.74.0,0.75.0, 0.76.0 and 0.76.1) the first request is 'http://www.github.com/nwjs/nw.js'.

With the alternate URL (http://sp.d3x0r.org/ballcaller/dist) there is no redirect configured, and all requests should show HTTP as the Request URL protocol; however, in versions 0.77.0+ the first request is https:// not http:. Using wireshark, with the HTTP address (in version 0.79.1), two sockets are opened to HTTP port 80, but no requests are sent on those, and a connection is made to HTTPS port 443, and the first request goes there. Since the site (sp.d3x0r.org) has SSL enabled, and works, the requests are then all made over HTTPS instead of HTTP.

Expected/Proposed Behavior

The URL specified when opening the window should be used as the first request (though of course if the server specifies a redirect to https of course it should follow that).

Additional Info

  • Operating System: Windows
  • NW.js Version: 0.77.0+

d3x0r avatar Sep 07 '23 05:09 d3x0r

~~Both github and sp.d3x0r.org have https redirects if from http. But lets say it didn't.~~ This might be from https-first being enabled. I don't know how to disable.

I tried httpvshttps (no redirect) and see the same behavior. http://www.httpvshttps.com/ https://www.httpvshttps.com/

bluthen avatar Sep 08 '23 18:09 bluthen

If sp.d3x0r.org did have a redirect, then 76.1 and before would also show all requests (except the first) over https, which they don't. But nwjs 77+ the first request is also https.
Chrome and Edge would also redirect. If you just put in the address (without a protocol) then of course chrome and edge try https first, but that's not a redirect.

Let me reiterate - you must use 'location.href=http:// ...' in the console of devtools to see it in the network request list. Using refresh will just request https again (in the case of github). sp.d3x0r.org in 76.1 and before refresh works fine and stays in http, because there is no redirect setup.

d3x0r avatar Sep 09 '23 08:09 d3x0r

Okay sorry to add noise. It doesn't redirect to https. It was a directory redirect. Anyway I agree, it looks like in nwjs, https first is enabled.

bluthen avatar Sep 09 '23 15:09 bluthen

Okay sorry to add noise. It doesn't redirect to https. It was a directory redirect. Anyway I agree, it looks like in nwjs, https first is enabled.

pretty sure https first applies only if you only specify a hostname/address, without protocol.... chrome and edge would also pick https first also, but don't if the protocol is also specified.

and 0.76.1 and before did not have this behavior. And that https first has been a thing for a long time....

d3x0r avatar Sep 21 '23 03:09 d3x0r

https://blog.chromium.org/2023/08/towards-https-by-default.html?m=1 @d3x0r Is this a bug?

ayushmanchhabra avatar Nov 04 '23 17:11 ayushmanchhabra

I'm of the opinion that this is not a bug. Please let me know if I'm wrong/missed something here.

ayushmanchhabra avatar Nov 04 '23 18:11 ayushmanchhabra

This can stay closed; however yes it is a bug; and the forced promotion is a bad idea, but I understand the motivation. It's fine that the webpage falls back to http if the cert fails, etc... but the problem comes in when it's a websocket connection within the page that fails, and only accepts ws:. The project was subsequently updated so the PHP7.2 Elephant IO is able to connect to the socketio service over wss:// (though it really doesn't do it right, and the options to enable it is to ignore checking certs). So it's not really going to be an issue in the future... the problem is a bunch of obsolete code that really should be updated to more modern platforms. Unlike JS, PHP doesn't have the idea of 'don't break the web' and many of the changes in newer versions make code that used to work just fine fail catastrophically.

d3x0r avatar Nov 06 '23 06:11 d3x0r