"Secure origin" other than HTTPS?

Question

Sometimes I see this warning in Chrome Devtools:

You should consider switching your application to a secure origin, such as HTTPS.

What's up with this "such as HTTPS"? Are there "secure origins" other than HTTPS that you can serve a website with?

I have no problem using https (I have it enabled on all the websites I'm working on). This question is purely out of curiousity.

Answer 1

Short answer: Yes, localhost is a secure origin. Chrome also has a command line flag to treat specified HTTP endpoints as secure: --unsafely-treat-insecure-origin-as-secure=http://a.test,http://b.test. So it's not just "HTTPS".

Longer answer: Other schemes such as blob:, wss:, and chrome-extension: can also be considered as secure contexts. about:blank is a common example that can vary, since the browser has to remember how it got there. And an iframe pointing at an HTTPS page, but embedded in an HTTP page, would not be secure.

To determine what the browser thinks of all this, examine the value of window.isSecureContext. The spec is here: https://w3c.github.io/webappsec-secure-contexts/

This chromium page https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins gives some context and links to the spec above.

For instance, data: URLs are insecure but blob: URLs are secure.

const src = "<script>document.write(isSecureContext)</scr"+"ipt>";

a.src = `data:text/html,${src}`;

b.src = URL.createObjectURL(
  new Blob([src], {type:'text/html'}));

<p>data url is insecure
<iframe id=a width=100 height=25></iframe>

<p>blob url is secure
<iframe id=b width=100 height=25></iframe>