Ist es möglich, über sichere Web-Sockets von einer Browserkonsole auf einer HTTPS-Webseite aus eine Verbindung zu einem

Anonymous · Post by **Anonymous** » 29 Nov 2025, 15:04

Wir haben Websockets für Python unter macOS mit diesem Terminalbefehl installiert:

(.venv) a@as-MacBook-Pro dic % python3 -m pip install websockets

server.py:

Code: Select all

#!/usr/bin/env python3

"""Secure WebSocket echo server with TLS."""

import asyncio
import ssl
from websockets.asyncio.server import serve

async def echo(websocket):
async for message in websocket:
await websocket.send(message)

async def main():
# Create and configure SSL context
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ssl_context.load_cert_chain(certfile="cert.pem", keyfile="key.pem")

print("Starting secure WebSocket server on wss://localhost:8765")
async with serve(echo, "localhost", 8765, ssl=ssl_context):
await asyncio.Future()  # Run forever

if __name__ == "__main__":
asyncio.run(main())

localhost_cert.cnf:

Code: Select all

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
CN = localhost

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost

Wir haben key.pem mit diesem Terminalbefehl generiert:

Code: Select all

(.venv) a@as-MacBook-Pro dic % openssl genrsa -out key.pem 2048

Wir haben cert.pem mit diesem Terminalbefehl erstellt/überschrieben:

Code: Select all

(.venv) a@as-MacBook-Pro dic % openssl req -x509 -new -nodes \
-key key.pem \
-sha256 \
-days 365 \
-out cert.pem \
-config localhost_cert.cnf \
-extensions req_ext

Wir sind bereits zu Schlüsselbundzugriff > Datei > Elemente importieren... > /Users/a/Documents/dic/cert.pem > Öffnen gegangen > haben unser Passwort eingegeben und auf Schlüsselbund ändern geklickt > auf localhost doppelgeklickt > auf geklickt Vertrauen > änderte Bei Verwendung dieses Zertifikats: den Wert von Systemstandards verwenden in Immer vertrauen > schloss das Fenster > gab unser Passwort ein > klickte auf Einstellungen aktualisieren
Wir haben den folgenden Code mit mehreren Domänen getestet:

Code: Select all

const ws = new WebSocket('wss://localhost:8765');
ws.onopen = () => console.log('%cConnected securely!', 'color: lime');
ws.onmessage = e => console.log('Server →', e.data);
ws.onclose = e => console.log('Closed:', e);
window.send = msg => ws.send(msg);

http://127.0.0.1:5500/index.html Browserkonsole:

Code: Select all

const ws = new WebSocket('wss://localhost:8765');
ws.onopen = () => console.log('%cConnected securely!', 'color: lime');
ws.onmessage = e => console.log('Server →', e.data);
ws.onclose = e => console.log('Closed:', e);
window.send = msg => ws.send(msg);
msg => ws.send(msg)
VM1009:2 Connected securely!

Das Gleiche können wir jedoch nicht auf HTTPS-Websites tun.
https://github.com/ Browserkonsole:

Code: Select all

const ws = new WebSocket('wss://localhost:8765');
ws.onopen = () => console.log('%cConnected securely!', 'color: lime');
ws.onmessage = e => console.log('Server →', e.data);
ws.onclose = e => console.log('Closed:', e);
window.send = msg => ws.send(msg);
VM185:1 Connecting to 'wss://localhost:8765/' violates the following Content Security Policy directive: "connect-src 'self' uploads.github.com ...".  The action has been blocked.
(anonymous) @ VM185:1
msg => ws.send(msg)

https://github.com/:
Deklarative Netzregel:

Code: Select all

{
"id": 23,
"priority": 1,
"action": {
"type": "modifyHeaders",
"responseHeaders": [
{
"header": "Content-Security-Policy",
"operation": "remove"
},
{
"header": "X-Frame-Options",
"operation": "remove"
}
]
},
"condition": {
"resourceTypes": [
"main_frame",
"sub_frame",
"stylesheet",
"script",
"image",
"font",
"object",
"xmlhttprequest",
"ping",
"csp_report",
"media",
"websocket",
"webtransport",
"webbundle",
"other"
]
}
}

Browserkonsole nach Verwendung der deklarativen Netzregel im Brave-Browser:

Code: Select all

const ws = new WebSocket('wss://localhost:8765');
ws.onopen = () => console.log('%cConnected securely!', 'color: lime');
ws.onmessage = e => console.log('Server →', e.data);
ws.onclose = e => console.log('Closed:', e);
window.send = msg => ws.send(msg);
msg => ws.send(msg)
VM856:1 WebSocket connection to 'wss://localhost:8765/' failed:
(anonymous) @ VM856:1
VM856:4 Closed: CloseEvent {isTrusted: true, wasClean: false, code: 1006, reason: '', type: 'close', …}

https://mastodon.social/home Browserkonsole:

Code: Select all

Warning: Don’t paste code into the DevTools Console that you don’t understand or haven’t reviewed yourself. This could allow attackers to steal your identity or take control of your computer. Please type ‘allow pasting’ below and press Enter to allow pasting.
allow pasting
const ws = new WebSocket('wss://localhost:8765');
ws.onopen = () => console.log('%cConnected securely!', 'color: lime');
ws.onmessage = e => console.log('Server →', e.data);
ws.onclose = e => console.log('Closed:', e);
window.send = msg => ws.send(msg);
VM177:1 Connecting to 'wss://localhost:8765/' violates the following Content Security Policy directive: "connect-src 'self' data: blob: https://mastodon.social https://files.mastodon.social wss://streaming.mastodon.social". The action has been blocked.
(anonymous) @ VM177:1
msg => ws.send(msg)

https://mastodon.social/explore-Browserkonsole nach Verwendung deklarativer Netzregeln zum Entfernen der Content-Security-Policy-Header.

Code: Select all

const ws = new WebSocket('wss://localhost:8765');
ws.onopen = () => console.log('%cConnected securely!', 'color: lime');
ws.onmessage = e => console.log('Server →', e.data);
ws.onclose = e => console.log('Closed:', e);
window.send = msg => ws.send(msg);
msg => ws.send(msg)
VM140:1 WebSocket connection to 'wss://localhost:8765/' failed:
(anonymous) @ VM140:1
VM140:4 Closed: CloseEvent {isTrusted: true, wasClean: false, code: 1006, reason: '', type: 'close', …}

https://x.com/home Browserkonsole:

Code: Select all

const ws = new WebSocket('wss://localhost:8765');
ws.onopen = () => console.log('%cConnected securely!', 'color: lime');
ws.onmessage = e => console.log('Server →', e.data);
ws.onclose = e => console.log('Closed:', e);
window.send = msg => ws.send(msg);
VM529:1 Connecting to 'wss://localhost:8765/' violates the following Content Security Policy directive: "connect-src 'self' blob: https://fonts.googleapis.com/css ...".  The action has been blocked.
(anonymous) @ VM529:1
msg => ws.send(msg)

https://x.com/home-Browserkonsole nach Verwendung deklarativer Netzregeln zum Entfernen von Inhaltssicherheitsheadern:

Code: Select all

const ws = new WebSocket('wss://localhost:8765');
ws.onopen = () => console.log('%cConnected securely!', 'color: lime');
ws.onmessage = e => console.log('Server →', e.data);
ws.onclose = e => console.log('Closed:', e);
window.send = msg => ws.send(msg);
msg => ws.send(msg)
VM436:1 WebSocket connection to 'wss://localhost:8765/' failed:
(anonymous) @ VM436:1
VM436:4 Closed: CloseEvent {isTrusted: true, wasClean: false, code: 1006, reason: '', type: 'close', …}

Ist es möglich, über sichere Web-Sockets von einer Browserkonsole auf einer HTTPS-Webseite aus eine Verbindung zu einem

Ist es möglich, über sichere Web-Sockets von einer Browserkonsole auf einer HTTPS-Webseite aus eine Verbindung zu einem ⇐ Python

Quick Reply