Re: Secure origin requirement in Chrome/WebCrypto from Anders Rundgren on 2014-09-26 (public-webcrypto-comments@w3.org from September 2014)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 26 Sep 2014 21:44:18 +0200
To: Eric Roman <ericroman@google.com>
CC: Ryan Sleevi <sleevi@google.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <5425C212.6020003@gmail.com>

On 2014-09-26 21:30, Eric Roman wrote:
> In Chrome http://localhost/ is considered a secure origin and has access to webcrypto. Perhaps this will suffice for your development purposes?
>
> If the server you are testing doesn't run on localhost, you could either point the HOSTS at it, or do the same thing in Chrome with a command line flag like --host-resolver-rules="MAP localhost www.myserver.com <http://www.myserver.com>"

Thanx Eric,

I very much appreciate your tips which certainly apply to some of the stuff I'm doing with WebCrypto.
I hope that the differences between different browsers will eventually be smaller.

Cheers
Anders

>
> On Thu, Sep 25, 2014 at 2:11 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     I did not expect Google to embrace this idea since it departs from your
>     goals and implementation.
>
>     Whatever the final solution will be I hope it doesn't become an implementation issue.
>
>     I haven't been able to get a local WebCrypto-enabled system to run either due to Chrome's
>     specific requirement on SSL certificates so I develop using Firefox and leave Chrome
>     testing to the public site.  This feels a bit strange.
>
>     Anders
>
>     On 2014-09-25 10:19, Ryan Sleevi wrote:
>
>
>         On Sep 24, 2014 11:27 PM, "Anders Rundgren" <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>> wrote:
>          >
>          > During my work with a WebCrypto-enabled application I found that
>          > Firefox "Nightly" and Chrome "Canary" have different behavior.
>          >
>          > Chrome apparently requires HTTPS (presumably also with a "genuine"
>          > certificate)
>
>         Presumption is not correct.
>
>          > for executing some (?) methods like import of keys.
>
>         All methods.
>
>          >
>          > I perfectly well understand the motives but it makes *development* harder.
>          > IMO, it would be better to making this requirement a recommendation.
>          >
>
>         https://www.w3.org/Bugs/Public/show_bug.cgi?id=25972
>
>          > WebCrypto won't anyway be useful for people who lack insight in applied
>          > cryptography, secure protocols and server hardening but that's entirely OK :-)
>          >
>
>         We disagree.
>
>         http://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-are-some-web-platform-features-only-available-in-HTTPS-page-loads-
>
>          > Cheers,
>          > Anders
>          >
>
>
>
>

Received on Friday, 26 September 2014 19:45:13 UTC