Script causing `SecurityError` when run from site on https server

[andrewheiss]

Using the latest version of remark (as of 2018-07-04), attempting to use remarksync triggers the following security error in Firefox:

SecurityError: The operation is insecure.  remarksync.js:555

connect             https://omnibs.github.io/remarksync/web/static/assets/js/remarksync.js:555:19
start               https://omnibs.github.io/remarksync/web/static/assets/js/remarksync.js:1165:4
SlideSync           https://omnibs.github.io/remarksync/web/static/assets/js/remarksync.js:1255:3
<anonymous>         https://omnibs.github.io/remarksync/web/static/assets/js/remarksync.js:1306:20

The error can be reproduced by using boilerplate-remote.html and modifying it slightly:

<script src="https://remarkjs.com/downloads/remark-latest.min.js">
</script>
<script>
  var slideshow = remark.create();
</script>
<script src="https://omnibs.github.io/remarksync/web/static/assets/js/remarksync.js"></script>

Chrome gives more details about the error: the Phoenix Heroku app seems to not support WSS:

The page at 'https://example.com' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://calm-caverns-50885.herokuapp.com/socket/websocket?token=undefined&vsn=1.0.0'. This request has been blocked; this endpoint must be available over WSS.

[andrewheiss]

This may be a deeper issue, though. When placing the slideshow on a non-https server, I get this error in Firefox only:

Firefox can’t establish a connection to the server at ws://calm-caverns-50885.herokuapp.com/socket/websocket?token=undefined&vsn=1.0.0.

It works as expected in Chrome.

[omnibs]

Thanks for the detailed report!

I did some poking around tonight and weirdly enough had less luck than you. ws://calm-caverns-50885.herokuapp.com/socket is actually giving me 301 redirects in Chrome and I can't get remarksync to work at all.

I sorta figure Heroku itself started enforcing SSL since I deployed this back in 2016, that's why I get redirects (I don't understand why you're not getting them tho), so I tried using wss:// (ssl websockets) but that gets me 403 errors without any useful info.

I had to build a Dockerfile to be able to build and run remarksync again locally, it built and ran but I didn't get much time to debug what's going on.

Will dig some more soon.

[andrewheiss]

Do you have a link to the Dockerfile? I'd be interested in tinkering with it too if you do.

[omnibs]

I pushed it here 117b2d0

If you run into problems running/compiling (I did, some ranch app not found error), it's some FS timestamp problem. Running a shell in the container and doing

$ mix deps.clean -all
$ mix clean
$ mix deps.get
$ mix compile
$ iex -S mix phoenix.server

should make it work.