Our web server is off-site, colocated at a typical data center.
On-site are networked items such as a label printer and a weigh scale.
To generate a shipping label from Firefox browser, one requests a page
from the server, then gets the weight from the scale. At first this is
a problem: we had a Beaglebone serving HTTP requests for the weight
and Firefox blocked the request. Solvable by serving weight over HTTPS
with CORS header, using the self-signed cert and whitelisting the
private IP address in Firefox.
But for printing the label, we have no control over the HTTP server
(and Zebra seems to have no plans to update their print servers): it
does not serve HTTPS requests, so default Firefox blocks the XHR.
Firefox does offer a way to unblock mixed content on a website
temporarily, but you can't unblock *before* the request, which
invalidates the label, and as soon as one navigates away from the
site, the block is re-instated. So the only stable solution appears to
be setting the security.mixed_content.block_active_content parameter
to false. But that means allowing mixed active content on any page
served anywhere on the net.
So I'm wondering, first, am I missing something obvious? Or, now that
Debian has thrown its lot in with Firefox, is this an issue for anyone
else? Is there a reason why we can't permanently allow mixed content
just for websites we control? Or allow XHR for private IP's? I think I
saw a Firefox bug thread where these concerns were summarily
dismissed, but there must be a lot of shops like ours out there. How
do they handle this security issue?
Thanks for reading.
Mark