I have a native app that runs a localhost server listening for requests. I also have a website which sends requests to the native app through that said localhost (via XMLHttpRequests).
This means that my website requires CORS in order to be able to communicate with the native app.
The native app is receiving unencrypted traffic for obvious reasons (I can’t have a valid cert inside the native app as this will make the app unusable after the certificate expires).
My website, on the other hand, is served via HTTPS, which means that a secure website is sending insecure requests to another host (localhost in this case).
Chrome understands that sending requests to
localhost/127.0.0.1 can be safely excluded from the Mixed Content Blocking Policy, which allows me to actually make the entire communication process work (my website is able to send / receive requests to my native app). Safari, on the other hand, doesn’t seem to be excluding
localhost/127.0.0.1 from that said Policy, which makes my website+native app unusable in Safari.
I tried using another schema for the communication (instead of
http://), but unfortunately CORS is limited to HTTP-only, so that is a dead end.
Then I thought I might create a domain pointing to
127.0.0.1 with a valid certificate (
localhost.foo.com), but the guys from Let’s Encrypt don’t think that this is a good idea.
Creating a self-signed certificate for my native app (so then I can communicate with it via HTTPS from my website) would require for my users to install my CA cert in their system’s CA chain, which most users
a) won’t know how to do or
b) won’t be willing to do because of security concerns or
The possibility of serving my website via HTTP instead of HTTPS in order to avoid the Mixed Content Blocking Policy is a no-no for me, so that is completely off the table.
All that said, I’m getting to my question: How should I communicate my website with my native app? Is there any way I can achieve this?