Midori does not use proxy settings for websockets

Bug #1210796 reported by André Stösel
274
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Midori Web Browser
Confirmed
Critical
Unassigned

Bug Description

Dunno if it's possible to use a proxy for websockets (i couldn't find anything in the webkit-gtk api) but midori should at least ask the user if he wants to connect directly or not.
(It's a huge security risk if you use stuff like TOR.)

Tags: proxy security
André Stösel (ivaldi)
Changed in midori:
milestone: none → 0.5.6
status: New → Confirmed
importance: Undecided → Critical
tags: added: proxy
information type: Public → Public Security
Cris Dywan (kalikiana)
summary: - Midori does not use proxy srttings for websockets
+ Midori does not use proxy settings for websockets
Revision history for this message
Cris Dywan (kalikiana) wrote :

There's no superficial reason why proxies can't work with web sockets unless WebKitGTK+ specifically uses a separate code path to connect. In general, ws(s) URLs go through HTTP(S) and thus use a proxy if there's one.
The main point of failure would be an implied proxy in your network that messes up your sockets.

This is a good article about it http://www.infoq.com/articles/Web-Sockets-Proxy-Servers

As far as Midori goes the real concern is that we have no easy test case that sets up a proxy, connects some socket and makes sure that it gets used. Same for prefetching, same for HTTP(s) in general.

Cris Dywan (kalikiana)
Changed in midori:
milestone: 0.5.6 → 0.5.7
Cris Dywan (kalikiana)
Changed in midori:
milestone: 0.5.7 → garage
Cris Dywan (kalikiana)
tags: added: security
Revision history for this message
Michael Catanzaro (mike-catanzaro) wrote :

A quick check of the code suggests that the WebSocket implementation uses soup for network requests, so I don't see why this would be a problem, but if I'm wrong and the issue still exists in modern WebKit (2.8+), then _please_ report a bug upstream!

Not that prefetch does not currently use the proxy, https://bugs.webkit.org/show_bug.cgi?id=145542

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.