Open RubenKelevra opened 3 years ago
This is "only" a cosmetic issue :-) cc @autonome @bbondy @jessicaschilling
ipfs://
is marked as Secure Context, you can test by opening console and reading the window.isSecureContext
flagipfs://
pages
brave://ipfs
this is also discussed in https://github.com/brave/brave-browser/issues/13303#issuecomment-752774048
@lidel I'm not so sure that this is purely cosmetic - it seems that despite window.isSecureContext
being true
, certain features,like WebXR appear to be restricted when loading an ipfs:// url directly.
Compare this with the same page loaded via https://ipfs.io/:
@jbaicoianu if a Web API is available on https://
but missing on ipfs://
or http://*.localhost
then it is a bug.
Do you mind providing a link that demonstrates the issue with XR? Which Web APIs are missing?
@lidel looks like the XR secure vs insecure difference @jbaicoianu is pointing out is:
1) https://ipfs.io/ipfs/bafybeifpwdufzh64uhx64ewij52sswmurqh2ufbldx2khwptvgaxap6i4a/
Connection is secure
message when clicking on favicon/padlock
2) ipfs://bafybeifpwdufzh64uhx64ewij52sswmurqh2ufbldx2khwptvgaxap6i4a/
Your connection to this site is not secure
message when clicking on IPFS
icon
Hope that helps! I can't yet answer the specific question of which APIs are missing/labeled as insecure, though.
The popup label will be fixed in https://github.com/brave/brave-browser/issues/14889
What remains to be done here is to check if/which WebXR APIs are missing when loaded via ipfs://
Hi, sorry I missed the notification for the reply asking for clarification. As far as I can tell, the WebXR API is present as expected when loaded via ipfs, but requests to activate an XR session are being rejected because WebXR is specced to only allow sessions in secure contexts.
So I guess the real question is, "should ipfs be considered a secure context, and if yes, is there some check somewhere in the WebXR code which is failing for ipfs:// urls even though window.isSecureContext
returns true?"
@jbaicoianu can you share some examples to reproduce?
@spylogsster sure. My original example is a bit complex, so I've hosted a copy of the official Immersive Web WebXR examples on IPFS, these should be much easier to work with.
Main page loaded directly from IPFS, showing that the browser does implement WebXR:
First example (ipfs://bafybeihtmlwd67upnydc7zibr6zzx7hjeajniuiz6rdgeczxsokqkallqm/immersive-vr-session.html) showing that WebXR reports that a device that supports immersive-vr
was detected (button is not disabled, navigator.xr.isSessionSupported('immersive-vr')
resolves to true
):
Clicking "Enter VR" button results in error:
Could not create a session because: The user denied some part of the requested configuration
XRSession creation failed: The specified session configuration is not supported.
When the same button is clicked when loaded via https://ipfs.io/ the button text changes to "Exit VR", and (after some delay to load the assets) the headset displays the expected scene in the VR headset (not shown in screenshot)
@jbaicoianu I see many errors on this page and I do not have the button
Similar to https://github.com/brave/brave-browser/issues/13706 which is about the
ipns:
scheme, theipfs:
scheme is currently not considered 'safe' by the browser:This is not true.
Brave should give the user information about what exactly is safe in this context via the context menu, and show that this content is indeed secure when using the build-in ipfs node.
Brave version (brave://version info)
Brave: 1.19.86 Chromium: 88.0.4324.96 (Official Build) unknown (64-bit) Revision: 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{# 1784} OS: Linux
CC: @lidel