I posted this question on a SoftAP thread a couple of days ago but thought I’d re-post it here as I think that thread is getting a bit long.
I’d like to serve the SoftAP JS over an SSL encrypted page for setting up customers devices. There’s a few reasons I want to use SSL, but mainly that I want to keep customers access tokens as secure as possible.
As far as I know the current configuration won’t work, as accessing the photons IP address (http://192.168.0.1) violates the SSL encryption and as far as modern browsers are concerned could introduce vulnerabilities.
Does anyone have any ideas of how to get around this? My only thought is to create a non-secure subdomain and host the softAP routine on there, however during the claiming process there will still be customer access tokens involved so it’s not an ideal solution.
Maybe you could make a HTTPS page that gets the access tokens and saves them with localstorage, then redirect to a HTTP page that can access the localstorage from javascript.
I dont think getting around the mixed content warning is going to be reliable, some browsers allow the user to accept it, but its not really ideal.
I ended up just using a separate HTTP (non SSL) subdomain for the SoftAP part of the setup process.
I don’t actually use the Photons any more though and haven’t kept up to date with this so there may be better solutions now.