- Electron version: latest
- Operating system: Windows
Hello. We have an Electron based web application that needs to connect to both our backend RESTful APIs over the open internet using HTTPS, e.g. https://example.com/path/to/api, AND to RESTful APIs running on the Windows desktop on localhost, e.g. http://localhost:12345/path/to/api. The localhost RESTful APIs are currently not using HTTPS (if someone malicious has managed to compromise localhost then we assume it's game over anyway).
This type of access to HTTP APIs from an HTTPS web page isn't possible due to the Mixed Content protection that Chromium provides out of the box (the base text/html pages calling the APIs using fetch are served via HTTPS from our backend accessed over the open internet).
To workaround this we have tried using HTTPS on localhost with a self-signed certificate as it's not possible to get a proper SSL certificate for localhost signed by a root CA. To get this to work we've turned off certificate errors using --ignore-certificate-errors. However, we can't ship like this as we'd then be vulnerable to a man-in-the-middle attack for the HTTPS content being accessed over the open internet.
We tried allowing access to http://localhost with a Content-Security-Policy but it seems that isn't possible.
One thing that might be useful for this scenario would be the ability to whitelist domains where a certificate error is allowed, rather than a simple on/off switch for certificate errors. Is this something that might be feasible to add to Electron? We found discussion about this at https://discuss.atom.io/t/trusting-a-self-signed-certificate/12332 but there wasn't any resolution noted.
Are there any other options that might be straight forward for us to implement to resolve this problem? If we could add a certificate to the certificate trust store used by Electron / Chromium we could probably get something to work using that.
Thanks!
David
Hello. We have an Electron based web application that needs to connect to both our backend RESTful APIs over the open internet using HTTPS, e.g. https://example.com/path/to/api, AND to RESTful APIs running on the Windows desktop on localhost, e.g. http://localhost:12345/path/to/api. The localhost RESTful APIs are currently not using HTTPS (if someone malicious has managed to compromise localhost then we assume it's game over anyway).
This type of access to HTTP APIs from an HTTPS web page isn't possible due to the Mixed Content protection that Chromium provides out of the box (the base text/html pages calling the APIs using fetch are served via HTTPS from our backend accessed over the open internet).
To workaround this we have tried using HTTPS on localhost with a self-signed certificate as it's not possible to get a proper SSL certificate for localhost signed by a root CA. To get this to work we've turned off certificate errors using --ignore-certificate-errors. However, we can't ship like this as we'd then be vulnerable to a man-in-the-middle attack for the HTTPS content being accessed over the open internet.
We tried allowing access to http://localhost with a Content-Security-Policy but it seems that isn't possible.
One thing that might be useful for this scenario would be the ability to whitelist domains where a certificate error is allowed, rather than a simple on/off switch for certificate errors. Is this something that might be feasible to add to Electron? We found discussion about this at https://discuss.atom.io/t/trusting-a-self-signed-certificate/12332 but there wasn't any resolution noted.
Are there any other options that might be straight forward for us to implement to resolve this problem? If we could add a certificate to the certificate trust store used by Electron / Chromium we could probably get something to work using that.
Thanks!
David