-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn when using non HTTPS connection #35
Comments
Hi,
Edit: In the end, not exactly, see #35 (comment) for a more detailed answer. |
@mluisbrown I think you are correct, according to this, HTTPS is required for Keep in mind that there's always a workaround: save html from your (http) server as a file then open it in the browser as a local file. The browsers I've tested allow |
Good catch, I was misleading by the fact that I've always opened secrets in From Chromium point of view:
|
In order to summarize, it's not - directly - related to For example, serving your secret locally under The isSecureContext property seems to be fully supported and indicates exactly if the current context is considered as secure or not. I'll propose a draft PR that try to detect ASAP the potentially insecure context and display a usefull message to the user (it's all arbitray and open to suggestions, of course) but it can look like in the picture below. On the picture below, on the left side, the "insecure" context and its - potential - warning message. On the right side a context that is considered as "secure" (without the warning message, of course). |
Let summarize my proposal #36 in two parts as creator and secret does not meets the same requirements. A - Concerning the creator: Requires HTTPS at any time.
B - Concerning the secret: Requires a "secure context" (given by the isSecureContext property).
|
When trying to decrypt secrets on my homepage, having accessed it with
http
instead ofhttps
I got the rather unhelpful error:Only after checking your example with an incorrect password did I realise the error was not related to my password (which I was sure I had correct).
Then I realised I was using
http
and that might cause Crypto APIs to not work, which was indeed the problem. It might be helpful to warn users that this only works over an SSL connection.The text was updated successfully, but these errors were encountered: