Why does WebVR require a secure context (https://) in order to run?

[nussetorten]

<Let's have a discussion in the comments down below.>

/cc @KTRosenberg

[nussetorten]

One of the better explanations I could find online is from GitHub user @cvan in 2016. He writes:

The API landscape today is different than what it was in the '90s and '00s. As I would expect, because of the grave dangers of a successful MITM attack or packet sniffing, Service Workers, Geolocation, Push, Camera, Microphone, Bluetooth, etc. can totally own a non-HTTPS site. And that - which alternatives besides TLS do folks recommend? It's easy to think of HTTPS as Security Theatre on the Web, but we're comparing HTTP vs. HTTPS - not HTTPS on its own.

Full thread is fascinating - quite long but worth the read: immersive-web/webxr#60 (comment)

The post terminates with a recipe for quick-and-easy certificate creation, though I don't know if it's more legitimate than our current practice: https://github.com/cvan/webvr-holodeck#local-development

[KTRosenberg]

The problem is that — doesn’t a certificate work on only one IP/machine, in which case this isn’t at all scalable for us as well as 45 students who want to get going and develop on multiple local devices just by doing git pull? —unless this can be automated with an install script.

Also, this kind of prevents us from connecting other systems to Metaroom over websocket, which is another big issue. (Do all services that connect need to have TLS?) For example, a major future possibility could be hooking in Chalktalk, but that is definitely not certified.

I pushed to master a websocket echo server “thing” that runs at start that, if you change all the “wss”es to “ws”, will work locally. But with the wsses an error is shown and everything proceeds as normal.

Anyway, I can flesh-out the communication I need between client and server locally on desktop in insecure ws mode, but my understanding is that this won’t work at all on an external device like the Quest.
Would you please try and figure out /implement a solution to this while I finish the editor and file loading (for local host/desktop)? That would be a big help since I have a lot of other things to finalize. Maybe certifying is something that can be automated on every machine, but it needs to be proper, not with “localhost.” This would be a good time to branch from master.

P.S. It’s entirely possible that my code is wrong too. I thought this should work for localhost regardless. hmm

[nussetorten]

The comment I shared was with regard to webvr (though the issue was on the webxr tracker - weird). Neither the WebVR nor WebXR spec explicitly mention HTTPS or TLS is in the WebXR/WebVR spec.

Huh.

[nussetorten]

Would you please try and figure out /implement a solution to this while I finish the editor and file loading (for local host/desktop)?

Sure thing, I'll see what I can do. I'll check in after work (~11pm EST).

[KTRosenberg]

EDIT: just saw your reply. Thanks!

It’s all very confusing.
Anyway, would you be able to look into this? I pushed to master. I’m not sure if I mis-coded something, but I don’t think so. The self-signed certificate just doesn’t agree with the websocket. :(
Also, just to confirm, any external websocket that wants to connect also needs to use TLS, right?