New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can we drop the secure context (https) requirement? #383
Comments
Chrome treats localhost as a secure context (https://www.chromestatus.com/feature/6269417340010496), how do you exactly "host" the web interface? Via |
The video security software has an embedded web server which hosts the web interface. Therefore most users access it via private IPv4 address with a custom port number, e.g.
|
I would also like to see the secure context (https) requirement removed Thanks |
@bp2008 makes a good point. This https requirement should be removed. There are lots of legitimate use cases that the current implementation prevents. Thanks! |
I would love to know the reason why it was thought necessary to limit this to secure contexts only. I know SSL/TLS certificates are considered trivial/essential and used pretty much by default by all corporations these days. I don't like that being an excuse to just give everything a secure context requirement "just to be safe" instead of because it was strictly necessary. |
I note issue #350, which details the rationale used for introducing |
Chromium policy about new web APIs available in not secure context hasn't changed. So I don't think we can drop https requirement for webcodecs. |
cc @youennf |
For Chromium based browsers you can use |
Discussed in Media WG meeting, 10 October 2023 minutes |
Hello.
I am very excited about WebCodecs, but I notice in Chrome 94/95, the API is only available in a secure context (https). I cannot imagine why, except to arbitrarily promote usage of TLS. Media processing capabilities have long been available on the unencrypted web by other means. WebCodecs just makes it (much) more convenient for the developer, and better-performing for the user. Why is this restricted to secure contexts?
This is a big problem for my use case, which is a web interface for popular video security software that is installed locally on end-user machines. The web interface is hosted locally too (not from "the cloud") using unencrypted HTTP, hence the problem.
The only way most users will use HTTPS is if we force it, and provide a self-signed certificate. The user experience is awful and it will teach users to navigate through scary browser warnings without a second thought.
The text was updated successfully, but these errors were encountered: