Web SAMP and HTTPS

Problem

The SAMP Web Profile allows web applications to talk to other SAMP clients, communicating with the Hub using an XMLHttpRequest to a well-known port (21012) on the local host. There are problems with doing this if the web page hosting the web application is served from HTTPS rather than HTTP, since access to the hub URL http://localhost:21012/ counts (at least in some interpretations) as mixed active content, which is generally blocked by browsers. This issue has been known since 2014, but is becoming more pressing as more data providers use HTTPS for service delivery. See Presentation at Sydney Interop (2015) for more details.

Bad solution

A possible solution was proposed that defines a new Profile involving use of an external Relay service and abuse of mixed passive content to bootstrap communications, as described in Taylor presentation at Cape Town Interop (2016). This has been shown to work, e.g. it is currently deployed at ASI-SSDC based on a custom/prototype JSAMP hub, see Verrecchia presentation at Paris Interop (2019). This solution however is not elegant, efficient, robust or nice. There is some more discussion of this as well as alternative bad solutions in https://arxiv.org/abs/1912.00917 (presented by Taylor at ADASS 2019; this paper is now mostly obsolete).

Good solution?

Following discussion at Groningen Interop (2019), some more progress was made that could get HTTPS-based web applications to use the Web Profile as it stands:

• Felix Stoehr pointed out that in recent tests, this just works in some browsers anyway, i.e. the problem has just gone away. This was a surprise, that arises from changes to the various w3c security standards over the last few years (see analysis).
• Sonia Zorba prepared a browser extension samp-browser-extension for browsers that still have problems with this

These two developments may provide a good-enough solution to this problem; some (hopefully increasingly many) browsers will work anyway, and for others users can be encouraged to install a browser extension that will make them work.

Current status

We are assessing which browsers now support Web SAMP over HTTPS without making any special arrangements. I believe those that do, do so because of browser implementation of the W3C Secure Contexts document. Thanks to those who have tried out browser/OS combinations following the instructions below. The headline results seem to be:

• Recent versions of Firefox, Chrome, Edge: SAMP over HTTPS works with no problems
• Safari: SAMP over HTTPS doesn't work (see here for long and acrimonious discussion - may change eventually? MarkTaylor - 2024-03-11 )
• Others: Vivaldi works. Luakit works. Internet Explorer: not sure.
• ... but there are apparently exceptions; I've highlighted these in the table

The OS doesn't seem to make a difference (Linux, MacOS, Windows 10 all tried).

This looks quite positive; services may decide on that basis that it's worth providing Web SAMP in HTTPS-based services on the basis that they will work for many/most users. Optionally, they could provide the browser extensions for others.

You can try this out using your browser/OS combination(s):

To work out the status of HTTPS+SAMP on your browser/OS, follow these easy instructions:

1. Start a SAMP Hub+client on your machine (e.g. run TOPCAT)
2. Visit this HTTP page. Click the button.
   • A popup should appear asking you to allow SAMP registration from a web application (with an http://... Origin). Accept, and a table should be loaded in TOPCAT. (If this doesn't happen, your problems are not related to HTTPS)
3. Visit this HTTPS page. Click the button.
   • Either as before, you are prompted to allow registration (for a web app with an https://... Origin) and a table is loaded in TOPCAT as before - this means SAMP+HTTPS does work on your browser
   • Or nothing happens - this means SAMP+HTTPS does not work on your browser.
4. Record in the table below whether it did or didn't work ("yes" or "no" in the Works out of the box? column)

If you've done that but don't have easy write access to the wiki, you can mail your results to either m.b.taylor@bristol.ac.uk or apps-samp@ivoa.net.

(If you want to try some more interesting examples, including 2-way communications, others are available: HTTP / HTTPS. I'm expecting that if HTTPS works/fails for one SAMP example it will be the same for all, but if you find different, please report it).

Results: some anomalous outcomes are highlighted

HTTPS + SAMP Survey
Browser	Version	OS	Works out of the box?	Reporter
Chrome	77	Ubuntu	yes	Felix Stoehr
Chromium	78.0	Ubuntu	yes	Mark Taylor
Chromium	85.0	Ubuntu	yes	Mark Taylor
Firefox	70.0.1	OSX Mojave	yes	Felix Stoehr
Firefox	70.0	Ubuntu	no	Felix Stoehr
Firefox	59	RHEL6	no	Mark Taylor
Firefox	70.0.1	Ubuntu	no	Mark Taylor
Firefox	81.0	Ubuntu	yes	Mark Taylor
Firefox Nightly	75.0 (64-bit)	GUIX	yes	Hugo Buddelmeijer
Chrome	85.0	MacOS 10.13.6	yes	Thomas Boch
Firefox	81.0	MacOS 10.13.6	yes	Thomas Boch
Safari	13.1.2	MacOS 10.13.6	no	Thomas Boch
Chrome	85.0	Fedora 31	yes	Marco Molinaro
Firefox	80.0	Fedora 31	yes	Marco Molinaro
Chrome	85.0.	MacOS 10.11.3	yes	Susana Sánchez Expósito
Firefox	78.2	MacOS 10.11.3	yes	Susana Sánchez Expósito
Safari	9.0.3	MacOS 10.11.3	No	Susana Sánchez Expósito
Firefox	81.0	MacOS 10.14.6	Yes	Susana Sánchez Expósito
Chrome	85.0	MacOS 10.14.6	Yes	Susana Sánchez Expósito
Safari	13.1	MacOS 10.14.6	No	Susana Sánchez Expósito
Firefox	86.0.1	MacOS 10.14.6	Yes	Stéphane Erard
Safari	13.1.2	MacOS 10.14.6	No	Stéphane Erard
Chrome	89.0.4389.90	MacOS 10.14.6	Yes	Stéphane Erard
Firefox	115.11.0esr (64 bits)	MacOS 14.4.1	Yes	Stéphane Erard
Firefox	81.0(64 bits)	Ubuntu 20.04.1 LTS	yes	Regis Haigron
Firefox	80	Windows 10	yes	Regis Haigron
Firefox	81.0(64 bits)	Ubuntu 18.04.1 LTS	yes	Pierre Le Sidaner
Chrome	86.0.4240.75	Ubuntu 18.04.1 LTS	Yes	Pierre Le Sidaner
Vivaldi	3.3.2022.47	Ubuntu 18.04.1 LTS	Yes	Pierre Le Sidaner
Chrome	84.0.4147.125	MacOS 10.12.5	Yes	Juan Carlos Segovia
Safari	10.1.1	MacOS 10.12.5	No	Juan Carlos Segovia
Firefox	75.0	MacOS 10.12.5	Yes	Juan Carlos Segovia
Chrome	57.0	MacOS 10.12.6	Yes	Alcione Mora
Safari	11.0.2	MacOS 10.12.6	Yes	Alcione Mora
Firefox	69.0	MacOS 10.12.6	Yes	Alcione Mora
Chrome	86.0	MacOS 10.14.6	Yes	Hector Canovas
Safari	12.1.2	MacOS 10.14.6	No	Hector Canovas
Firefox	81.0.1	MacOS 10.14.6	No	Hector Canovas
Edge	86.0	Windows 10.0	Yes	Mark Taylor
Chrome	86.0.4240.80	MacOS 10.13.6	Yes	Tom Donaldson
Firefox	81.0.2	MacOS 10.13.6	Yes	Tom Donaldson
Safari	13.1.2	MacOS 10.13.6	No	Tom Donaldson
Luakit	2.0.0	Debian buster	Yes	Markus
Internet Explorer	11.0.9600.19867	Windows Server 2012 R2 Standard	No	Yan Grange
Internet Explorer	11.1198.18362.0	Windows 10 1909	Yes	Yan Grange
Edge	87.0.664.47	Windows 10 1909	Yes	Yan Grange
Internet Explorer	11.630.19041.0	Windows 10 19041	No?	Mark Taylor
Safari	13.1.2	MacOS 10.13.6	No	Baptiste Cecconi
Firefox	89.0.1	MacOS 10.13.6	Yes	Baptiste Cecconi
Chrome	91.0.4472.114	MacOS 10.13.6	Yes	Baptiste Cecconi
Safari	14.1.2	macOS 11.5.1	No	John Swinbank
Safari Technology Preview	Release 128 (Safari 15.0)	macOS 11.5.1	No	John Swinbank
Firefox	90.0.2 (64-bit)	macOS 11.5.1	Yes	John Swinbank
Safari Technology Preview	Release 132 (Safari 15.4)	macOS 11.6	No	John Swinbank
Safari	15.3	macOS 12.2.1	No	Hendrik Heinl
Arc	1.12.1 (42373)	MacOS 13.6	No (HTTP does not work, HTTPS does)	Yan Grange

For more discussion on this topic, see the apps-samp mailing list.

-- MarkTaylor - 2020-10-13