search

tauri-apps / tauri

Build smaller, faster, and more secure desktop applications with a web frontend.
https://tauri.app
Apache License 2.0
82.12k stars 2.47k forks source link

Access to the WebCrypto API is restricted to secure origins #1680

Closed wighawag closed 3 years ago

wighawag commented 3 years ago

Describe the bug I am using a library that relies on WebCrypto API and get this error when that library is loaded (it is loaded on demand)

Uncaught (in promise) [Portis] Access to the WebCrypto API is restricted to secure origins.
If this is a development environment please use http://localhost: instead.
Otherwise, please use an SSL certificate.

is webcrypto not available in tauri ?

lucasfernog commented 3 years ago

Is this on dev or on build? Tauri relies on the crypto API so it should be available.

wighawag commented 3 years ago

both

nothingismagick commented 3 years ago

Can you please give us more details about your system? yarn tauri info is a good start, as is the frontend framework you are using.

lucasfernog commented 3 years ago

What OS are you running and which API are you trying to use? Tauri relies on crypto.getRandomValues.

wighawag commented 3 years ago

tauri info

Operating System - Windows, version 10.0.19042 X64

Node.js environment
  Node.js - 14.16.0
  @tauri-apps/cli - 1.0.0-beta-rc.4
  @tauri-apps/api Not installed

Global packages
  npm - 6.14.11
  yarn - 1.22.5

Rust environment
  rustc - 1.51.0
  cargo - 1.51.0

App directory structure
/.svelte
/.vscode
/build
/node_modules
/src
/src-tauri
/static

App
  tauri.rs - 1.0.0-beta-rc.4
build-type - bundle
CSP - default-src blob: data: filesystem: ws: http: https: 'unsafe-eval' 'unsafe-inline'
distDir - ../build
devPath - ../build

framework: svelte+svelte-kit

the library that is causing problem is loaded via a script tag element created at runtime. I need to look deeper what exactly they are using : https://www.npmjs.com/package/@portis/web3

amrbashir commented 3 years ago

this is their detection function 

export function validateSecureOrigin() {
  const isLocalhost = location.hostname === 'localhost' || location.hostname === '127.0.0.1';
  const isSecureOrigin = location.protocol === 'https:';
  const isSecure = isLocalhost || isSecureOrigin;

  if (!isSecure) {
    throw `[Portis] Access to the WebCrypto API is restricted to secure origins.\nIf this is a development environment please use http://localhost:${
      location.port
    } instead.\nOtherwise, please use an SSL certificate.`;
  }
}

So I think we already fixed this at least on windows we are using https: protocol, we need to check linux and macOs

lucasfernog commented 3 years ago

This change is on wry 0.9, so it'll be available on the next release.