xaviergonz
commented
6 years ago related to #128
Closed xaviergonz closed 6 years ago
xaviergonz
commented
6 years ago related to #128
alippai
commented
6 years ago This seems to be a legit warning. What's your use case, where you want to load asmCrypto via http?
xaviergonz
commented
6 years ago I'm not really loading the precompiled asmcrypto.js file from a script tag, there it would be a legit warning.
In my case I'm just using require('asmcrypto.js') and therefore it ends up inside a big bundle.js file created with fusebox, and that bundle.js file is the one loaded inside a page served via http.
alippai
commented
6 years ago You really shouldn't load the bundle.js file over http. It's just totally insecure, so it shouldn't do anything crypto related. For the http: origins the WebCrypto API is disabled as well.
xaviergonz
commented
6 years ago Actually the only thing I'm using is the sha256 hash function to get the hash of some data, and the WebCrypto API is not disabled. Anyway I can't use https in this case since it is an special case where the page is in localhost and auto generated from a local server.
Either way I think I can live with a small warning :)
Using asmCrypto.js 0.16.0 from a http page when using it as a require issues the following warning:
asmCrypto seems to be load from an insecure origin; this may cause to MitM-attack vulnerability. Consider using secure transport protocol.