fix: allow accessing http://127.0.0.1 from https page

... since 127.0.0.1 is [potentially trustworthy](https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy) and honored by most browsers (chromium & firefox)
sockjs · Jun 8, 2020 · f6ec4aa · f6ec4aa
1 parent 3ccf61d
commit f6ec4aa
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/main.js b/lib/main.js
@@ -74,7 +74,7 @@ function SockJS(url, protocols, options) {
     throw new SyntaxError("The URL's scheme must be either 'http:' or 'https:'. '" + parsedUrl.protocol + "' is not allowed.");
   }
 
-  var secure = parsedUrl.protocol === 'https:';
+  var secure = parsedUrl.protocol === 'https:' || parsedUrl.hostname === '127.0.0.1';
   // Step 2 - don't allow secure origin with an insecure protocol
   if (loc.protocol === 'https:' && !secure) {
     throw new Error('SecurityError: An insecure SockJS connection may not be initiated from a page loaded over HTTPS');