Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chrome Error: Please use a browser with webcrypto support #475

Closed
2 tasks done
lidel opened this issue May 8, 2018 · 0 comments · Fixed by #484
Closed
2 tasks done

Chrome Error: Please use a browser with webcrypto support #475

lidel opened this issue May 8, 2018 · 0 comments · Fixed by #484
Assignees
@lidel
Labels
area/window-ipfs Issues related to IPFS API exposed on every page kind/bug A bug in existing code (including security flaws)
Projects
window.ipfs

Comments

@lidel
Copy link
Member

lidel commented May 8, 2018
edited

Problem / TL;DR

Chrome won't allow access to webcrypto for pages served via HTTP unless it's at localhost.
This means parts of window.ipfs will be broken on non-TLS non-localhost gateways.

How to Reproduce

  1. Open HTTP (non-TLS) page that is also not a localhost in Chrome with window.ipfs experiment enabled
  2. Try running window.ipfs.object.put() (try this Example code)
  3. Get the error:

    screenshot

Background

This is not a bug, it is a feature sort of a thing.

Modern browsers are limiting selected APIs to be available in Secure Contexts only.
Chrome includes webcrypto in this scheme, which means it cannot be accessed when served from insecure origin:

  • The WebCrypto API was enabled by default starting in Chrome 37 (August 26, 2014)
    • Access to the WebCrypto API is restricted to secure origins (which is to say https:// pages).

Current list of “secure” origins according to Chrome can be found here:

Secure origins are those that match at least one of the following (scheme, host, port) patterns:

(https, *, *)
(wss, *, *)
(*, localhost, *)
(*, 127/8, *)
(*, ::1/128, *)
(file, *, —)
(chrome-extension, *, —)

That is, secure origins are those that load resources either from the local machine (necessarily trusted) or over the network from a cryptographically-authenticated server. See Prefer Secure Origins For Powerful New Features for more details.

Related discussion on our end: multiformats/js-multihashing-async#22

Potential Solutions
@lidel lidel added kind/bug A bug in existing code (including security flaws) UX area/window-ipfs Issues related to IPFS API exposed on every page labels May 8, 2018
@lidel lidel self-assigned this May 8, 2018
@lidel lidel mentioned this issue May 8, 2018
Closed
12 tasks
lidel added a commit to multiformats/js-multihashing-async that referenced this issue May 8, 2018
@lidel
fix: improve Error on missing webcrypto
971bd1b 
Background:
ipfs/ipfs-companion#475
lidel added a commit to multiformats/js-multihashing-async that referenced this issue May 8, 2018
@lidel
fix: improve Error on missing webcrypto
afa03e2 
Background:
ipfs/ipfs-companion#475
This was referenced May 8, 2018
Merged
Closed
@lidel lidel mentioned this issue May 23, 2018
Merged
daviddias pushed a commit to multiformats/js-multihashing-async that referenced this issue May 30, 2018
@lidel @daviddias
fix: improve Error on missing webcrypto
b9c52b9 
Background:
ipfs/ipfs-companion#475
@lidel lidel added this to Done in window.ipfs Oct 1, 2019
@tibetsprague tibetsprague mentioned this issue May 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lidel lidel

Labels
area/window-ipfs Issues related to IPFS API exposed on every page kind/bug A bug in existing code (including security flaws)
Projects
No open projects
window.ipfs
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improving security of window.ipfs (low hanging fruits) ipfs/ipfs-companion
1 participant
@lidel