Http extension ignore self-signed certificate

[radtrentasei]

Hi team, I've left a comment also here: https://scratch.mit.edu/users/RedMan13/ but I feel the best place is here indeed.

I am using the http extension to consume api exposed via https with a self-signed certificate. If I don't visit with the browser the URL and I don't accept the certificate the http blocks don't return anything as expected. When I visit and accept all is ok.

I would like to skip the step of visiting the URL and accepting the certificate. Would it be possible to add some sort of global flag in the http extension to ignore self-signed certificates warning? Or is it something the browser will not allow?

I can try to contribute and code this and test, however I don't find the js file of the extension.

Follow-up question. With turbowarp desktop version how do I permit the domain?

Thanks

[GarboMuffin]

You should really just use a real certificate -- they are very easy to get. If for some reason you can't then you'll probably have to add the self-signed one to your operating system's certificate store so every app thinks it's okay.

In the browser we have literally no control over what certificates the browser is okay with.

In the desktop app we might have more control but I really would rather not add an option to disable HTTPS validation. There is already an option to disable CORS enforcement in desktop settings and you can use extensions to access plain HTTP websites if you want.

[radtrentasei]

Thank you for the feedback. I have solved the CORS by using a nginx proxy (still need to find the solution for safari).

Unfortunately for the time being public certificate is not an option. My REST API server is accessible via a VPN and has a private IP. I was assuming we don't have control over what the browser does in this regards.

For what concerns the desktop app, indeed I am pointing to the plain HTTP service. Is there a way from the code blocks to identify if I am using the browser based turbwarp or the desktop version? At least I can point to different URL with the code.

[GarboMuffin]

Again if you can tell your operating system to trust your self-signed certificate (your favorite search engine will help), most apps should just respect that without further inquiry.

You can also try launching Chrome or TurboWarp with the --ignore-certificate-errors flag from the command line, which does what it says. Not very secure, of course.

You could try HTTPS with an HTTP fallback if HTTPS fails to make it work more universally since I don't think we have an <is desktop app?> (yet)

Another thing you can try is getting a real domain with DNS (subdomains okay) and pointing it towards your private IP. With a real domain you can get a free real HTTPS certificate from Lets Encrypt (or ZeroSSL? never used them) using DNS text records.

[GarboMuffin]

I guess you can detect <is desktop app?> right now by using the network extension to get the current URL. Website will of course be https://... but the desktop app is tw-editor://...

Hopefully at least some of this rambling will be useful for you