-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document the differences of Che Theia WebView behavior in single-/multi-host modes #18496
Comments
We've already discussed the first point - regarding the same origin for Che Theia and a Webview. The second one we've discovered recently, with @sleshchenko. And I want to gather the opinions on how it's better to document it. This is how it looks to the end-user. I go to Che URL without Che's self-signed CA certificate imported. Chrome provides the option to proceed with the disabled security check: I proceed and I'm able to load Che Theia but not a Webview, like the Welcome page. In the console, Chrome warns me about the security breach:
Chrome allows installing a ServiceWorker (load a Webview) in a completely secure context only. For local development/testing Chrome provides a couple of options to disable this check:
So, there're three options available for the Che/CRW user: two mentioned above + import the self-signed CA certificate into Chrome. Should we only recommend the user to import a self-signed certificate? Or document all three options at the discretion of the user? |
I believe we can't advise the user to disable the security checks in Chrome, as they are introduced to facilitate local development/testing only. |
@azatsarynnyy it looks like we are back at the initial problem we had with multi-host. In both cases we need to locally import the CA cert if it's untrusted by the local browser. That's annoying. Isn't there an alternative to serviceworker to load webviews? |
@l0rd Service workers are an essential part of Webview API in Theia. It allows handling loading the webview resources (packaged with a plugin) in a very neat/graceful way. I agree, asking the user to import a certificate is an annoying step. But I’m not sure if it worth reinventing the wheel yourself by implementing the whole complex mechanism of Webview API in some alternative way and start maintaining it downstream. |
che-docs has been updated with the note eclipse-che/che-docs#1717 |
Is your task related to a problem? Please describe.
There're some differences in Che Theia WebView behavior depending on Che mode - single- or multi-host.
These differences are important to the user. ATM the known differences are:
Describe the solution you'd like
Need to document it in Che/CRW docs.
Describe alternatives you've considered
Additional context
The text was updated successfully, but these errors were encountered: