saljam / webwormhole

Peer authenticated WebRTC.
BSD 3-Clause "New" or "Revised" License
1.82k stars 92 forks source link

web: make flow or message make it clear that the tool generates the phrase for you #91

Open elithrar opened 3 years ago

elithrar commented 3 years ago

Chrome Version 90.0.4430.93 (Official Build) (x86_64)

Steps to reproduce:

  1. Visit webwormhole.io
  2. Create a phrase + join
  3. Observe an uncaught exception in the console
  4. Attempting to join from other clients fails
Uncaught (in promise) bad code
(anonymous) @ webwormhole.js:19
(anonymous) @ webwormhole.js:18
Wormhole @ webwormhole.js:17
connect @ main.js:358

Possibly related is that the Wasm loader fails due to an invalid/incompatible CSP - Content Security Policy of your site blocks the use of 'eval' in JavaScript is reported by Chrome only when we execute the below:

async function wasmready() {
    if (!hacks.nowasm) {
        const go = new Go();
        const wasm = await WebAssembly.instantiateStreaming( // Content-Security-Policy warning triggers here
            fetch(hacks.wasmURL),
            go.importObject,
        );
        go.run(wasm.instance);
    }
}

You need to (unfortunately...) allow unsafe-eval to execute Wasm per https://github.com/WebAssembly/content-security-policy/issues/7

saljam commented 3 years ago

Hi Matt!

That Chrome warning is almost certainly a red-herring. The Wasm actually runs fine despite it. It's been annoying me for almost a year! Proof for your case: the code that encodes and decodes the phrase is in Wasm. So if you got that far your browser is running Wasm fine.

Now why it failed: "bad code" error mean we couldn't decode the phrase. Possibly a typo? I know our wordlist still has a few words that sounds similar.

The fact that it is uncaught is definitely a regression though! This used to print a more helpful message.

elithrar commented 3 years ago

Interesting - the phrase was just HELLOTHERE. Using GORILLA still generates the error and a failure to connect -

image image

I wonder if this is a local/corp proxy issue.

Update: No, going direct, instead of through the corp proxy, does not rectify. Using Chrome v90 and Firefox 88.0.1 (64-bit) as my two clients.

saljam commented 3 years ago

for the record: this is an issue in the instructions in the initial prompt.

it's not clear enough that the tool picks the phrase for the user, so folks who haven't used it before often try to pick their own, e.g. #85.