Re: Secure origin requirement in Chrome/WebCrypto from Eric Roman on 2014-09-26 (public-webcrypto-comments@w3.org from September 2014)

From: Eric Roman <ericroman@google.com>
Date: Fri, 26 Sep 2014 12:30:07 -0700
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Ryan Sleevi <sleevi@google.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CAFswn4=crvZQMB-quSoHo--r5DiPTFQTvDqhVEh854ovdfzwpQ@mail.gmail.com>

In Chrome http://localhost/ is considered a secure origin and has access to
webcrypto. Perhaps this will suffice for your development purposes?

If the server you are testing doesn't run on localhost, you could either
point the HOSTS at it, or do the same thing in Chrome with a command line
flag like --host-resolver-rules="MAP localhost www.myserver.com"

On Thu, Sep 25, 2014 at 2:11 AM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> I did not expect Google to embrace this idea since it departs from your
> goals and implementation.
>
> Whatever the final solution will be I hope it doesn't become an
> implementation issue.
>
> I haven't been able to get a local WebCrypto-enabled system to run either
> due to Chrome's
> specific requirement on SSL certificates so I develop using Firefox and
> leave Chrome
> testing to the public site.  This feels a bit strange.
>
> Anders
>
> On 2014-09-25 10:19, Ryan Sleevi wrote:
>
>
>> On Sep 24, 2014 11:27 PM, "Anders Rundgren" <
>> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
>> wrote:
>>  >
>>  > During my work with a WebCrypto-enabled application I found that
>>  > Firefox "Nightly" and Chrome "Canary" have different behavior.
>>  >
>>  > Chrome apparently requires HTTPS (presumably also with a "genuine"
>>  > certificate)
>>
>> Presumption is not correct.
>>
>>  > for executing some (?) methods like import of keys.
>>
>> All methods.
>>
>>  >
>>  > I perfectly well understand the motives but it makes *development*
>> harder.
>>  > IMO, it would be better to making this requirement a recommendation.
>>  >
>>
>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=25972
>>
>>  > WebCrypto won't anyway be useful for people who lack insight in applied
>>  > cryptography, secure protocols and server hardening but that's
>> entirely OK :-)
>>  >
>>
>> We disagree.
>>
>> http://www.chromium.org/Home/chromium-security/security-
>> faq#TOC-Why-are-some-web-platform-features-only-
>> available-in-HTTPS-page-loads-
>>
>>  > Cheers,
>>  > Anders
>>  >
>>
>>
>
>

Received on Friday, 26 September 2014 19:30:35 UTC