Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Can the text in the Add Security Exception be modified?

  • 1 个回答
  • 1 人有此问题
  • 10 次查看
  • 最后回复者为 dveditz

more options

Our company has built an application that is currently used by many banks. Recently, we have updated the application to change from a thick client to a thin client using web browsers. The web based client communicates via SignalR to a local windows service that gets installed in order to talk with a check scanner. The web application is served as an HTTPS web site and the local window service which uses SignalR also runs via HTTPS. When the local windows service is installed, a self-signed certificate is generated and installed on the local computer.

When the web client is run on a Mozilla Firefox web browser, a security exception must be manually added for the localhost URL of the SignalR service. The problem is that in the Add Security Exception dialog, the following text is displayed by Firefox: “You are about to override how Firefox identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this.” Since our applications are used and hosted by banks, this message is not true in our case.

We cannot install a unique signed certificate for every client, which is why we generate a self-signed certificate. We cannot host the local windows service running as just under HTTP, because then the web client cannot communicate with the local windows service due to mixed content security violation. We know the shield in address box on Firefox can disable the protection, but this would have to be done every time.

Is there an alternative to the text in the Add Security Exception from being displayed? Or do you have another suggestion on how to get around this issue? Or can the text in the Add Security Exception dialog box be modified?

Our company has built an application that is currently used by many banks. Recently, we have updated the application to change from a thick client to a thin client using web browsers. The web based client communicates via SignalR to a local windows service that gets installed in order to talk with a check scanner. The web application is served as an HTTPS web site and the local window service which uses SignalR also runs via HTTPS. When the local windows service is installed, a self-signed certificate is generated and installed on the local computer. When the web client is run on a Mozilla Firefox web browser, a security exception must be manually added for the localhost URL of the SignalR service. The problem is that in the Add Security Exception dialog, the following text is displayed by Firefox: “You are about to override how Firefox identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this.” Since our applications are used and hosted by banks, this message is not true in our case. We cannot install a unique signed certificate for every client, which is why we generate a self-signed certificate. We cannot host the local windows service running as just under HTTP, because then the web client cannot communicate with the local windows service due to mixed content security violation. We know the shield in address box on Firefox can disable the protection, but this would have to be done every time. Is there an alternative to the text in the Add Security Exception from being displayed? Or do you have another suggestion on how to get around this issue? Or can the text in the Add Security Exception dialog box be modified?

由kcarlson4于修改

所有回复 (1)

more options

You can't change that text from a web site (or the bad guys could also), but you could from an add-on. But if you had an add-on it could install the self-signed cert exception for you. For that matter the add-on could be what the web site communicates through to the device, but then this would be a Firefox-specific solution.

If the local service cert is self-signed how does the web app know it's talking to the legitimate service? How do you keep other web sites who know about your service from trying to talk to it? If you trust it simply because it required an installer to create the service running on https://localhost:8888/ (or whatever port) why not get a legitimate cert and install the same one on every client?

How do you handle this in other browsers? At least Firefox remembers exceptions so you only have to set them up once. On other browsers users will have to "click through" the bad-cert page every time they restart their browser.