godotengine / godot-proposals

Godot Improvement Proposals (GIPs)
MIT License
1.16k stars 97 forks source link

Add support for plaintext HTTP for web exports with threads disabled #10076

Open Nukley opened 4 months ago

Nukley commented 4 months ago

Describe the project you are working on

I am working on a game in godot, it is mostly just a silly test game I am making to learn programming. You can find a copy of it here: https://nukley.com/games/catchase/

Describe the problem or limitation you are having in your project

The godot HTML5 project exporter does not support http, and is specifically designed to work with https. Here is an example of the error when attempting to use http: http://content.nukley.com/misc/withoutthread/

Describe the feature / enhancement and how it helps to overcome the problem or limitation

In godot 4.3, a feature was recently merged which entirely removes the need for SharedArrayBuffer, which gets us one step closer to running this thing.

Describe how your proposal will work, with code, pseudo-code, mock-ups, and/or diagrams

I was able to enable to actually bypass the error in an exported 4.3 Beta 2 project seen here: http://content.nukley.com/misc/2-test/

I did this by simply removing 3 lines of code from the primary js file, as follows,

if (!Features.isSecureContext()) {
    missing.push('Secure Context - Check web server configuration (use HTTPS)');
}

However this edit was only tested by me in Firefox and Konquerer, and it only worked in Firefox, minus the audio.

Konquerer (chromium based) threw this error upon attempting to load the file, and hung at loading the wasm file: Uncaught (in promise) CompileError: WebAssembly.instantiateStreaming(): unexpected section <Exception> @+104383

If this enhancement will not be used often, can it be worked around with a few lines of script?

I can only assume that if the js file is programmed in the correct way, this would be completely unnecessary, as it could simply just support both http and https with any issues.

Is there a reason why this should be core and not an add-on in the asset library?

This would make it useful for odd file hosting situations, such as self hosting with no certificate.

It is worth noting that Godot 3 supported doing this, complete with audio, right out of the box, as seen here: http://content.nukley.com/misc/g3daudio/ (click anywhere)

AdriaandeJongh commented 4 months ago

There are good reason why everything on the internet transitioned to https - for one random example, so that internet providers can't inject code (which I've personally witnessed when abroad). Because of those security concerns, I'd recommend against this and recommend devs to figure out ways to get their games running in test environments where https is possible. Because many devs will take the short and quick road but never transition to the secure way with a feature like this.

Calinou commented 4 months ago

On top of what's been said above, browser developers generally gatekeep new features behind a secure context. This means that if we start using a browser feature that was recently implemented in web browsers (even optionally), it'll only work on a secure origin (HTTPS or http://localhost).

This might be another reason to disallow using HTTP, even if it could be made to work in theory right now.

This would make it useful for odd file hosting situations, such as self hosting with no certificate.

In this scenario, you can likely use a self-signed certificate with mkcert to avoid HTTPS warnings. Remote clients can bypass the HTTPS warnings if they so wish (at their own risk), assuming the web server does not have HSTS enabled.