search

PeculiarVentures / webcrypto-liner

webcrypto-liner is a polyfill that let's down-level User Agents (like IE/Edge) use libraries that depend on WebCrypto. (Keywords: Javascript, WebCrypto, Shim, Polyfill)
MIT License
148 stars 26 forks source link

Exception ‘Only secure origins are allowed’ when load from an insecure site using chrome v40. #62

Closed FalconIA closed 5 years ago

FalconIA commented 5 years ago

I load the official examples page from insecure site. Such as: http://192.168.2.64:18080/examples/html/index.html

Click Sign button.

Under Chrome Version 40.0.2214.115. Chrome throws a exception.

DOMException: Only secure origins are allowed. http://goo.gl/lq4gCo {message: "Only secure origins are allowed. http://goo.gl/lq4gCo", name: "NotSupportedError", code: 9, INDEX_SIZE_ERR: 1, DOMSTRING_SIZE_ERR: 2…}
    code: 9
    message: "Only secure origins are allowed. http://goo.gl/lq4gCo"
    name: "NotSupportedError"
    __proto__: DOMException

Under Chrome Version 70.0.3538.77 (Official Build) (64-bit). It works well.

What's the problem? Please help.

rmhrisk commented 5 years ago

This is a return from Chrome telling you in that version, the API in question was requiring the page to be served over HTTPS. See http://goo.gl/lq4gCo for more information.

My guess is why this is working for you on v70 is that the IP is getting resolved to localhost and localhost is being treated as secure in that version.

The v40 version of chrome is 3y old, it has many CVEs that have been fixed; we strongly recommend that you do not use or support such an old browser and instead help users upgrade.

FalconIA commented 5 years ago

My purpose is to use a WebCrypto API polyfill in a insecure site (like http://domain.com/) to encrypt some text. Because of some reason, I can't stop supporting old browser and insecure origins right now, I will try it later.

My guess is why this is working for you on v70 is that the IP is getting resolved to localhost and localhost is being treated as secure in that version. @rmhrisk I tried from a insecure domain (not local ip or localhost), it works on v70.

I try to debug the code, throws at crypto.subtle.generateKey(alg, true, ["sign", "verify"]). Then I try to print out crypto;

Under v40:

Crypto {subtle: SubtleCrypto, getRandomValues: function}
  subtle: SubtleCrypto
    __proto__: SubtleCrypto
      constructor: function SubtleCrypto() { [native code] }
      decrypt: function decrypt() { [native code] }
      digest: function digest() { [native code] }
      encrypt: function encrypt() { [native code] }
      exportKey: function exportKey() { [native code] }
      generateKey: function generateKey() { [native code] }
      importKey: function importKey() { [native code] }
      sign: function sign() { [native code] }
      unwrapKey: function unwrapKey() { [native code] }
      verify: function verify() { [native code] }
      wrapKey: function wrapKey() { [native code] }
      __proto__: Object
  __proto__: Crypto

Under v70:

Crypto {subtle: SubtleCrypto}
  subtle: SubtleCrypto
    __proto__: SubtleCrypto
      constructor: ƒ SubtleCrypto()
      decrypt: ƒ (algorithm, key, data)
      deriveBits: ƒ (algorithm, baseKey, length)
      deriveKey: ƒ (algorithm, baseKey, derivedKeyType, extractable, keyUsages)
      digest: ƒ (algorithm, data)
      encrypt: ƒ (algorithm, key, data)
      exportKey: ƒ (format, key)
      generateKey: ƒ (algorithm, extractable, keyUsages)
      importKey: ƒ (format, keyData, algorithm, extractable, keyUsages)
      sign: ƒ (algorithm, key, data)
      unwrapKey: ƒ (format, wrappedKey, unwrappingKey, unwrapAlgorithm, unwrappedKeyAlgorithm, 
      extractable, keyUsages)
      verify: ƒ (algorithm, key, signature, data)
      wrapKey: ƒ (format, key, wrappingKey, wrapAlgorithm)
      __proto__: Object
  __proto__: Object

Seems polyfill doesn't use javascript lib instead of native api. Is this the reason why polyfill cannot work under v40? Is there a way to force use javascript lib instead of native api under v40.

Thank you very much.

rmhrisk commented 5 years ago

This is not a pure polyfill in that it uses WebCrypto wherever possible. It does this for security reasons. v40 has WebCrypto, it requires HTTPS to be used.

v70 is likely internally treating your local IP as localhost, this would be the only reason it would not complain that I can think of.

Use outside of a TLS session is not worth supporting; any encryption that would be done could have trivially been captured by an advisory.

FalconIA commented 5 years ago

OK, I got the reason why v40 not work, but there is only one question left. Why v70 works. I'm sure that I test v70 from a WAN IP, and it was not secure.

wechat image_20181115150106

Of course, this is only my curiosity, you could not care about it. Thanks for your response.

rmhrisk commented 5 years ago

https://www.chromestatus.com/feature/6269417340010496