Closed FalconIA closed 5 years ago
This is a return from Chrome telling you in that version, the API in question was requiring the page to be served over HTTPS. See http://goo.gl/lq4gCo for more information.
My guess is why this is working for you on v70 is that the IP is getting resolved to localhost and localhost is being treated as secure in that version.
The v40 version of chrome is 3y old, it has many CVEs that have been fixed; we strongly recommend that you do not use or support such an old browser and instead help users upgrade.
My purpose is to use a WebCrypto API polyfill in a insecure site (like http://domain.com/
) to encrypt some text.
Because of some reason, I can't stop supporting old browser and insecure origins right now, I will try it later.
My guess is why this is working for you on v70 is that the IP is getting resolved to localhost and localhost is being treated as secure in that version.
@rmhrisk I tried from a insecure domain (not local ip or localhost), it works on v70.
I try to debug the code, throws at crypto.subtle.generateKey(alg, true, ["sign", "verify"])
.
Then I try to print out crypto
;
Under v40:
Crypto {subtle: SubtleCrypto, getRandomValues: function}
subtle: SubtleCrypto
__proto__: SubtleCrypto
constructor: function SubtleCrypto() { [native code] }
decrypt: function decrypt() { [native code] }
digest: function digest() { [native code] }
encrypt: function encrypt() { [native code] }
exportKey: function exportKey() { [native code] }
generateKey: function generateKey() { [native code] }
importKey: function importKey() { [native code] }
sign: function sign() { [native code] }
unwrapKey: function unwrapKey() { [native code] }
verify: function verify() { [native code] }
wrapKey: function wrapKey() { [native code] }
__proto__: Object
__proto__: Crypto
Under v70:
Crypto {subtle: SubtleCrypto}
subtle: SubtleCrypto
__proto__: SubtleCrypto
constructor: ƒ SubtleCrypto()
decrypt: ƒ (algorithm, key, data)
deriveBits: ƒ (algorithm, baseKey, length)
deriveKey: ƒ (algorithm, baseKey, derivedKeyType, extractable, keyUsages)
digest: ƒ (algorithm, data)
encrypt: ƒ (algorithm, key, data)
exportKey: ƒ (format, key)
generateKey: ƒ (algorithm, extractable, keyUsages)
importKey: ƒ (format, keyData, algorithm, extractable, keyUsages)
sign: ƒ (algorithm, key, data)
unwrapKey: ƒ (format, wrappedKey, unwrappingKey, unwrapAlgorithm, unwrappedKeyAlgorithm,
extractable, keyUsages)
verify: ƒ (algorithm, key, signature, data)
wrapKey: ƒ (format, key, wrappingKey, wrapAlgorithm)
__proto__: Object
__proto__: Object
Seems polyfill doesn't use javascript lib instead of native api. Is this the reason why polyfill cannot work under v40? Is there a way to force use javascript lib instead of native api under v40.
Thank you very much.
This is not a pure polyfill in that it uses WebCrypto wherever possible. It does this for security reasons. v40 has WebCrypto, it requires HTTPS to be used.
v70 is likely internally treating your local IP as localhost, this would be the only reason it would not complain that I can think of.
Use outside of a TLS session is not worth supporting; any encryption that would be done could have trivially been captured by an advisory.
OK, I got the reason why v40 not work, but there is only one question left. Why v70 works. I'm sure that I test v70 from a WAN IP, and it was not secure.
Of course, this is only my curiosity, you could not care about it. Thanks for your response.
I load the official examples page from insecure site. Such as:
http://192.168.2.64:18080/examples/html/index.html
Click
Sign
button.Under Chrome
Version 40.0.2214.115
. Chrome throws a exception.Under Chrome
Version 70.0.3538.77 (Official Build) (64-bit)
. It works well.What's the problem? Please help.