General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
-
andyprough
- Board Warrior
- Posts: 1322
- Joined: 2020-05-31, 04:33
Post
by andyprough » 2026-03-04, 16:58
From the release notes for Pale Moon 34.1.0:
Pale Moon, from this version forward, allows unencrypted websocket connections to localhost addresses even when the calling document was served encrypted.
Is this a good thing or a bad thing? It has the sound of something I wouldn't want - 'unencrypted ... connections ... localhost'
But I don't really know what it means or does, so asking for clarification.
-
Gemmaugr
- Astronaut
- Posts: 551
- Joined: 2025-02-03, 07:55
Post
by Gemmaugr » 2026-03-04, 18:21
Might it be related to this?
https://forum.palemoon.org/viewtopic.ph ... 63#p264258
Though I thought I remembered a thread about someone making their own site and having problems fetching local resources, but I can't find it now.
"Judge a person not by their superficial identity attributes, but by the content of their character."
"Organized Identity Politics are the bane of civilized society."
"Cognitive dissonance hypocrisy is a pandemic."
"Capitalism is the worst form of economic system, except for all the others."
-
Moonchild
- Project founder
- Posts: 39119
- Joined: 2011-08-28, 17:27
- Location: Sweden
Post
by Moonchild » 2026-03-04, 19:31
andyprough wrote: ↑2026-03-04, 16:58
Is this a good thing or a bad thing? It has the sound of something I wouldn't want - 'unencrypted ... connections ... localhost'
Context matters. I'd say it's a good thing, or I would have resisted it
The issue was that loopback connections to localhost would be blocked if the page calling it would be loaded over https - basically our mixed content blocker applying what is good practice on the internet. However, for localhost, this doesn't matter as we're not dealing with foreign content. The same exception for this was made before already for http to localhost, and this extends that exception to mixed content blocking to the websocket protocol.
Allowing these connections allows the browser to interface from a webpage with e.g. specific hardware or APIs that listen on plaintext ports (since encryption on localhost is just adding unnecessary complexity)
"There is no point in arguing with an idiot, because then you're both idiots." - Anonymous
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
andyprough
- Board Warrior
- Posts: 1322
- Joined: 2020-05-31, 04:33
Post
by andyprough » 2026-03-04, 19:41
Moonchild wrote: ↑2026-03-04, 19:31
However, for localhost, this doesn't matter as we're not dealing with foreign content.
Ahhh, I see now - this is not about giving external connections unencrypted access to localhost, this is about literally doing something locally with the browser. Thanks for the explanation!
-
Bilbo47
- Lunatic
- Posts: 399
- Joined: 2017-11-18, 04:24
Post
by Bilbo47 » 2026-03-07, 22:31
Just to comment: when bad-ware operates on localhost for the purpose of avoiding protections in the browser, it's not the browser's fault/problem - because the machine/OS is already pwned regardless of whether the browser is running.
