问题
In Chrome 60, they added a feature that disables crypto.subtle
for non-TLS connections. Our product needs to run a local server and forward some secure remote connections to localhost
for security reasons. Because localhost
isn't technically a named domain, we cannot use TLS--effectively making crypto.subtle
unusable in Chrome (and chromium-based browsers like Opera), and forcing us to use a less secure shim like asmCrypto.js. Is there any way to tell Chrome to enable crypto.subtle
through headers? Is there any way to disable the new feature in the settings that we can tell users about (worst case scenario)?
回答1:
In Chrome 60, they added a feature that disables crypto.subtle for non-TLS connections
Not exactly, crypto.subtle
is disabled for non-secure origins since first supported version (chrome 32?)
But localhost
is considered a secure origin https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features
“Secure origins” are origins that match at least one of the following (scheme, host, port) patterns:
(https, *, *)
(wss, *, *)
(*, localhost, *)
(*, 127/8, *)
(*, ::1/128, *)
(file, *, —)
(chrome-extension, *, —)
So you should be able to use Web Cryptographi Api on http://localhost
.
Are you using HTTPS for your site? It could be that you had a problem related to mixing HTTPS and HTTP. Chrome will block the HTTP connection to localhost. Then you could generate a self-signed certificate for 127.0.0.1 and launch your local server with HTTPS (similar to @SLaks answer but you will not need a hosts
entry )
回答2:
You should make a CNAME or hosts
entry that points a valid domain at 127.0.0.1
, then get a (perhaps self-signed) certificate for that domain.
来源:https://stackoverflow.com/questions/46670556/how-to-enable-crypto-subtle-for-unsecure-origins-in-chrome