getUserMedia() in chrome 47 without using https

Question

In chrome version 47 they force you to use https to be allow using getUserMedia(). Unfortunately, I can't use https in my whole web, I only use it in the login rest (It a SPA - single page app). So, the address to the web is without https, only the login rest uses ssl. I use this repo with very little changes: https://github.com/Jmlevick/html-recorder

My question is if is there any way to use audio recorder in my web app and keep my web address with http and not https? what ideas do you have to overcome this issue?

Answer 1

getUserMedia allows you to listen in to the private conversations of the user. If it were enabled over unencrypted HTTP, this would allow an attacker to inject code that listens in and sends the conversations to the attacker. For example, if you if you are in a private conference room of a hotel with unencrypted WiFi, everybody in the vicinity of the hotel could listen in. Even if your app does not usually deal with sensitive conversations, an attacker could replace your code with theirs in order to listen in at a later time, when another app is in use.

Therefore, getUserMedia is only available from secure contexts. For testing, you can exempt your domain by starting Chrome with --unsafely-treat-insecure-origin-as-secure="example.com", or simply test under http://localhost/.

If you want your app to listen to the user's microphone, you must serve it via TLS. There is no way around it. If there were, it would be regarded as a security hole and fixed in the next version of the browsers.

HINT

You might have to add "http://" on the command line, e.g.: --unsafely-treat-insecure-origin-as-secure="http://example.com"