[IPFS] Secure context for `ipfs:`-Scheme

[RubenKelevra]

Similar to https://github.com/brave/brave-browser/issues/13706 which is about the ipns: scheme, the ipfs: scheme is currently not considered 'safe' by the browser:

This is not true.

Brave should give the user information about what exactly is safe in this context via the context menu, and show that this content is indeed secure when using the build-in ipfs node.

Brave version (brave://version info)

Brave: 1.19.86 Chromium: 88.0.4324.96 (Official Build) unknown (64-bit) Revision: 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{# 1784} OS: Linux

CC: @lidel

[lidel]

This is "only" a cosmetic issue :-) cc @autonome @bbondy @jessicaschilling

• :green_heart: ipfs:// is marked as Secure Context, you can test by opening console and reading the window.isSecureContext flag
• :broken_heart: the error on your screenshot comes from the UI related to security model based TLS certs from HTTPS (which we don't use in IPFS) – I agree, this is confusing, we should improve this popup on ipfs:// pages
  • MVP fix could be replacing popup body with info that content was loaded from IPFS node managed by brave and "Learn more" would openbrave://ipfs

[diracdeltas]

this is also discussed in https://github.com/brave/brave-browser/issues/13303#issuecomment-752774048

[jbaicoianu]

@lidel I'm not so sure that this is purely cosmetic - it seems that despite window.isSecureContext being true, certain features,like WebXR appear to be restricted when loading an ipfs:// url directly.

Compare this with the same page loaded via https://ipfs.io/:

[lidel]

@jbaicoianu if a Web API is available on https:// but missing on ipfs:// or http://*.localhost then it is a bug. Do you mind providing a link that demonstrates the issue with XR? Which Web APIs are missing?

[stephendonner]

@lidel looks like the XR secure vs insecure difference @jbaicoianu is pointing out is:

1) https://ipfs.io/ipfs/bafybeifpwdufzh64uhx64ewij52sswmurqh2ufbldx2khwptvgaxap6i4a/ Connection is secure message when clicking on favicon/padlock

2) ipfs://bafybeifpwdufzh64uhx64ewij52sswmurqh2ufbldx2khwptvgaxap6i4a/ Your connection to this site is not secure message when clicking on IPFS icon

Hope that helps! I can't yet answer the specific question of which APIs are missing/labeled as insecure, though.

[lidel]

The popup label will be fixed in https://github.com/brave/brave-browser/issues/14889 What remains to be done here is to check if/which WebXR APIs are missing when loaded via ipfs://

[jbaicoianu]

Hi, sorry I missed the notification for the reply asking for clarification. As far as I can tell, the WebXR API is present as expected when loaded via ipfs, but requests to activate an XR session are being rejected because WebXR is specced to only allow sessions in secure contexts.

So I guess the real question is, "should ipfs be considered a secure context, and if yes, is there some check somewhere in the WebXR code which is failing for ipfs:// urls even though window.isSecureContext returns true?"

[spylogsster]

@jbaicoianu can you share some examples to reproduce?

[jbaicoianu]

@spylogsster sure. My original example is a bit complex, so I've hosted a copy of the official Immersive Web WebXR examples on IPFS, these should be much easier to work with.

Observed Behavior: ipfs://bafybeihtmlwd67upnydc7zibr6zzx7hjeajniuiz6rdgeczxsokqkallqm/

Main page loaded directly from IPFS, showing that the browser does implement WebXR:

First example (ipfs://bafybeihtmlwd67upnydc7zibr6zzx7hjeajniuiz6rdgeczxsokqkallqm/immersive-vr-session.html) showing that WebXR reports that a device that supports immersive-vr was detected (button is not disabled, navigator.xr.isSessionSupported('immersive-vr') resolves to true):

Clicking "Enter VR" button results in error:

Could not create a session because: The user denied some part of the requested configuration
XRSession creation failed: The specified session configuration is not supported.

Expected behavior: https://ipfs.io/ipfs/bafybeihtmlwd67upnydc7zibr6zzx7hjeajniuiz6rdgeczxsokqkallqm/

When the same button is clicked when loaded via https://ipfs.io/ the button text changes to "Exit VR", and (after some delay to load the assets) the headset displays the expected scene in the VR headset (not shown in screenshot)

[spylogsster]

@jbaicoianu I see many errors on this page and I do not have the button