Can we drop the secure context (https) requirement?

[bp2008]

Hello.

I am very excited about WebCodecs, but I notice in Chrome 94/95, the API is only available in a secure context (https). I cannot imagine why, except to arbitrarily promote usage of TLS. Media processing capabilities have long been available on the unencrypted web by other means. WebCodecs just makes it (much) more convenient for the developer, and better-performing for the user. Why is this restricted to secure contexts?

This is a big problem for my use case, which is a web interface for popular video security software that is installed locally on end-user machines. The web interface is hosted locally too (not from "the cloud") using unencrypted HTTP, hence the problem.

The only way most users will use HTTPS is if we force it, and provide a self-signed certificate. The user experience is awful and it will teach users to navigate through scary browser warnings without a second thought.

[yume-chan]

The web interface is hosted locally too

Chrome treats localhost as a secure context (https://www.chromestatus.com/feature/6269417340010496), how do you exactly "host" the web interface? Via file:// URLs?

[bp2008]

The video security software has an embedded web server which hosts the web interface. Therefore most users access it via private IPv4 address with a custom port number, e.g. http://192.168.0.100:81 or if they have set up port forwarding, then they swap in their public IP or a dynamic DNS hostname.

localhost and file:// URLs unfortunately are not helpful, as the goal is remote access without having to install a dedicated app on client machines.

[MikeLud]

I would also like to see the secure context (https) requirement removed

Thanks
Mike

[aesterling]

@bp2008 makes a good point. This https requirement should be removed. There are lots of legitimate use cases that the current implementation prevents. Thanks!

[FergoTheGreat]

I would love to know the reason why it was thought necessary to limit this to secure contexts only. I know SSL/TLS certificates are considered trivial/essential and used pretty much by default by all corporations these days. I don't like that being an excuse to just give everything a secure context requirement "just to be safe" instead of because it was strictly necessary.

[tidoust]

I note issue #350, which details the rationale used for introducing [SecureContext] in the first place.

[Djuffin]

Chromium policy about new web APIs available in not secure context hasn't changed.
I believe the same is true for Firefox.

So I don't think we can drop https requirement for webcodecs.

[Djuffin]

cc @youennf

[Djuffin]

For Chromium based browsers you can use chrome://flags/#unsafely-treat-insecure-origin-as-secure to treat LAN websites as secure

[chrisn]

Discussed in Media WG meeting, 10 October 2023 minutes