search

crosswalk-project / crosswalk

A web runtime built on Chrome. This project is currently unmaintained.
https://crosswalk-project.org/blog/crosswalk-final-release.html
BSD 3-Clause "New" or "Revised" License
2.33k stars 652 forks source link

Request was denied for security (net::ERR_INSECURE_RESPONSE) #4020

Closed lzkill closed 6 years ago

lzkill commented 6 years ago

Hi fellas. I’m having a hard time to generate a functional .apk of my Ionic app. When Crosswalk is enabled I get this toast (Request was denied for security) and a error on all https calls (net::ERR_INSECURE_RESPONSE). Could somebody give me a hand here? Thanks, guys!

config.xml

<?xml version='1.0' encoding='utf-8'?>
<widget id="xxx.yyy" version="0.0.1" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
    <name>XXX.YYY</name>
    <description>xxx.yyy</description>
    <author email="xxx.yyy" href="xxx.yyy">xxx.yyy</author>
    <content src="index.html" />
    <access origin="*" />
    <allow-intent href="http://*/*" />
    <allow-intent href="https://*/*" />
    <allow-intent href="tel:*" />
    <allow-intent href="mailto:*" />
    <allow-navigation href="http://*/*" />
    <allow-navigation href="https://*/*" />
    <allow-navigation href="tel:*" />
    <allow-navigation href="mailto:*" />
    <platform name="android">
        <allow-intent href="market:*" />
        ...
    </platform>
    <platform name="ios">
        <allow-intent href="itms:*" />
        <allow-intent href="itms-apps:*" />
        ...
    </platform>
    <preference name="orientation" value="default" />
    <preference name="ScrollEnabled" value="false" />
    <preference name="StatusBarStyle" value="default" />
    <preference name="android-minSdkVersion" value="16" />
    <preference name="BackupWebStorage" value="none" />
    <preference name="SplashScreen" value="screen" />
    <preference name="SplashMaintainAspectRatio" value="true" />
    <preference name="FadeSplashScreenDuration" value="300" />
    <preference name="ShowSplashScreenSpinner" value="false" />
    <preference name="AutoHideSplashScreen" value="false" />
    <preference name="SplashScreenDelay" value="3000" />
    <preference name="SplashShowOnlyFirstTime" value="false" />
    <engine name="android" spec="^6.2.3" />
    <engine name="ios" spec="^4.5.3" />
    <plugin name="cordova-plugin-device" spec="^1.1.6" />
    <plugin name="cordova-plugin-inappbrowser" spec="^1.7.1" />
    <plugin name="cordova-plugin-splashscreen" spec="^4.0.3" />
    <plugin name="cordova-plugin-whitelist" spec="^1.3.2" />
    <plugin name="cordova-plugin-ionic-webview" spec="^1.1.15" />
    <plugin name="cordova-plugin-statusbar" spec="^2.2.3" />
    <plugin name="cordova-plugin-ionic-keyboard" spec="^2.0.2" />
    <plugin name="cordova-plugin-app-version" spec="^0.1.9" />
    <plugin name="mx.ferreyra.callnumber" spec="~0.0.2" />
    <plugin name="cordova-plugin-email-composer" spec="^0.8.11" />
    <plugin name="cordova-plugin-crosswalk-webview" spec="^2.3.0">
        <variable name="XWALK_VERSION" value="23+" />
        <variable name="XWALK_LITEVERSION" value="xwalk_core_library_canary:17+" />
        <variable name="XWALK_COMMANDLINE" value="--disable-pull-to-refresh-effect" />
        <variable name="XWALK_MODE" value="embedded" />
        <variable name="XWALK_MULTIPLEAPK" value="true" />
        <variable name="XWALK_HOSTS" value="http://*/,https://*/" />
    </plugin>
</widget>

package.json

{
  "name": "xxx.yyy",
  "version": "0.0.1",
  "description": "xxx.yyy",
  "scripts": {
    ...
  },
  "dependencies": {
    "@angular/common": "5.0.0",
    "@angular/compiler": "5.0.0",
    "@angular/compiler-cli": "5.0.0",
    "@angular/core": "5.0.0",
    "@angular/forms": "5.0.0",
    "@angular/http": "5.0.0",
    "@angular/platform-browser": "5.0.0",
    "@angular/platform-browser-dynamic": "5.0.0",
    "@ionic-native/app-version": "^4.4.2",
    "@ionic-native/call-number": "^4.4.2",
    "@ionic-native/core": "^4.3.1",
    "@ionic-native/email-composer": "^4.4.2",
    "@ionic-native/in-app-browser": "^4.3.1",
    "@ionic-native/splash-screen": "^4.3.1",
    "@ionic-native/status-bar": "^4.3.1",
    "@ionic/storage": "2.1.3",
    "call-number": "^1.0.1",
    "chart.js": "^2.7.1",
    "cordova-android": "^6.2.3",
    "cordova-ios": "^4.5.3",
    "cordova-plugin-app-version": "^0.1.9",
    "cordova-plugin-crosswalk-webview": "^2.3.0",
    "cordova-plugin-device": "^1.1.6",
    "cordova-plugin-email-composer": "^0.8.11",
    "cordova-plugin-inappbrowser": "^1.7.1",
    "cordova-plugin-ionic-keyboard": "^2.0.2",
    "cordova-plugin-ionic-webview": "^1.1.15",
    "cordova-plugin-splashscreen": "^4.0.3",
    "cordova-plugin-statusbar": "^2.2.3",
    "cordova-plugin-whitelist": "^1.3.2",
    "ionic-angular": "3.9.2",
    "ionicons": "3.0.0",
    "mx.ferreyra.callnumber": "~0.0.2",
    "ngx-pipes": "^2.0.5",
    "rxjs": "5.5.2",
    "sw-toolbox": "3.6.0",
    "zone.js": "0.8.18"
  },
  "devDependencies": {
    "@ionic/app-scripts": "3.1.5",
    "typescript": "~2.4.2"
  },
  "config": {
    "ionic_aot_write_to_disk": true,
    "ionic_source_map": "source-map",
    "ionic_webpack": "./webpack.config.js"
  },
  "cordova": {
    "platforms": [
      "android",
      "ios"
    ],
    "plugins": {
      "cordova-plugin-device": {},
      "cordova-plugin-inappbrowser": {},
      "cordova-plugin-splashscreen": {},
      "cordova-plugin-whitelist": {},
      "cordova-plugin-ionic-webview": {},
      "cordova-plugin-statusbar": {},
      "cordova-plugin-ionic-keyboard": {},
      "cordova-plugin-app-version": {},
      "mx.ferreyra.callnumber": {},
      "cordova-plugin-email-composer": {},
      "cordova-plugin-crosswalk-webview": {
        "XWALK_VERSION": "23+",
        "XWALK_LITEVERSION": "xwalk_core_library_canary:17+",
        "XWALK_COMMANDLINE": "--disable-pull-to-refresh-effect",
        "XWALK_MODE": "embedded",
        "XWALK_MULTIPLEAPK": "true",
        "XWALK_HOSTS": [
          "http://*/",
          "https://*/"
        ]
      }
    }
  }
}
Giriton commented 6 years ago

We started to have the same issue after we updated the server https certificate. We use nginx on our server, if that is relevant. Did you manage to solve the issue? How?

lzkill commented 6 years ago

I've solved the issue by replacing the certificate I was pointing to. The following tool helped me to see that the problem was probably within the certificate.

https://www.digicert.com/help/

huynhquocmy commented 6 years ago

Hello @Giriton, Have you manage to fix this issue on others way? I got same issue here...

Giriton commented 6 years ago

Hi @huynhquocmy , we found out the reason and made a workaround. We started to have that issue after we updated server HTTPS certificate. This certificate was signed by publicly trusted certification authority and on Windows, Linux, iOS and Android 5 and newer, everything was allright. This issue appeared only on Android 4.2.2 devices. We found out, that these devices did not have updated root certificates, thus did not know our issuing certificate authority, which caused that they did not consider our server certificate to be trusted.

As we could not update trusted certificates in all our client's Android 4 devices, we decided to buy server certificate from another provider, who's signing certificate was still included in Android 4 (COMODO).

If we would not use Crosswalk, we would use certificate-pinning or bundle current certificate authorities to APK. However Crosswalk seems to use native C code for HTTPS and ignores all custom certificates packaged with APK. Hope it makes a sense and will help you to resolve the issue.

huynhquocmy commented 6 years ago

Thank you very much @Giriton , very clear for me. I will need to find a workaround solution also, open direct browser link using Crosswalk seem working for me, but embed iframe seem not. Still need to find out more.