How to enable crypto.subtle for unsecure origins in Chrome?

假如想象 提交于 2019-12-11 00:07:33

问题


In Chrome 60, they added a feature that disables crypto.subtle for non-TLS connections. Our product needs to run a local server and forward some secure remote connections to localhost for security reasons. Because localhost isn't technically a named domain, we cannot use TLS--effectively making crypto.subtle unusable in Chrome (and chromium-based browsers like Opera), and forcing us to use a less secure shim like asmCrypto.js. Is there any way to tell Chrome to enable crypto.subtle through headers? Is there any way to disable the new feature in the settings that we can tell users about (worst case scenario)?


回答1:


In Chrome 60, they added a feature that disables crypto.subtle for non-TLS connections

Not exactly, crypto.subtle is disabled for non-secure origins since first supported version (chrome 32?)

But localhost is considered a secure origin https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features

“Secure origins” are origins that match at least one of the following (scheme, host, port) patterns:

  • (https, *, *)

  • (wss, *, *)

  • (*, localhost, *)

  • (*, 127/8, *)

  • (*, ::1/128, *)

  • (file, *, —)

  • (chrome-extension, *, —)

So you should be able to use Web Cryptographi Api on http://localhost.

Are you using HTTPS for your site? It could be that you had a problem related to mixing HTTPS and HTTP. Chrome will block the HTTP connection to localhost. Then you could generate a self-signed certificate for 127.0.0.1 and launch your local server with HTTPS (similar to @SLaks answer but you will not need a hosts entry )




回答2:


You should make a CNAME or hosts entry that points a valid domain at 127.0.0.1, then get a (perhaps self-signed) certificate for that domain.



来源:https://stackoverflow.com/questions/46670556/how-to-enable-crypto-subtle-for-unsecure-origins-in-chrome

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!