Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

"Secure origin" other than HTTPS?

Sometimes I see this warning in Chrome Devtools:

You should consider switching your application to a secure origin, such as HTTPS.

What's up with this "such as HTTPS"? Are there "secure origins" other than HTTPS that you can serve a website with?

I have no problem using https (I have it enabled on all the websites I'm working on). This question is purely out of curiousity.

like image 792
Skeets Avatar asked Aug 22 '18 01:08

Skeets


People also ask

How do you fix this page has a non HTTPS secure origin?

Non-secure main origins This problem occurs when the URL that you visited was requested over HTTP. To make it secure you need to request it over HTTPS. For example, if you look at the URL in your address bar, it probably looks similar to http://example.com . To make it secure the URL should be https://example.com .

What is secure origin?

secure (adj.) 1600. The mechanical meaning "firmly fixed" (of material things) is by 1841, extended from the mental meaning "affording grounds for confidence" (1580s) hence "of such stability, strength, etc. to preclude risk." Of telephones or telephone lines, "not wiretapped," by 1961.

Does Google always use HTTPS?

Starting in version 90, Chrome's address bar will use https:// by default, improving privacy and even loading speed for users visiting websites that support HTTPS. Chrome users who navigate to websites by manually typing a URL often don't include “http://” or “https://”.

How do you unsafely treat insecure origin as secure?

You can use chrome://flags/#unsafely-treat-insecure-origin-as-secure to run Chrome, or use the --unsafely-treat-insecure-origin-as-secure="http://example.com" flag (replacing "example.com" with the origin you actually want to test), which will treat that origin as secure for this session.


1 Answers

Short answer: Yes, localhost is a secure origin. Chrome also has a command line flag to treat specified HTTP endpoints as secure: --unsafely-treat-insecure-origin-as-secure=http://a.test,http://b.test. So it's not just "HTTPS".

Longer answer: Other schemes such as blob:, wss:, and chrome-extension: can also be considered as secure contexts. about:blank is a common example that can vary, since the browser has to remember how it got there. And an iframe pointing at an HTTPS page, but embedded in an HTTP page, would not be secure.

To determine what the browser thinks of all this, examine the value of window.isSecureContext. The spec is here: https://w3c.github.io/webappsec-secure-contexts/

This chromium page https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins gives some context and links to the spec above.

For instance, data: URLs are insecure but blob: URLs are secure.

const src = "<script>document.write(isSecureContext)</scr"+"ipt>";

a.src = `data:text/html,${src}`;

b.src = URL.createObjectURL(
  new Blob([src], {type:'text/html'}));
<p>data url is insecure
<iframe id=a width=100 height=25></iframe>

<p>blob url is secure
<iframe id=b width=100 height=25></iframe>
like image 102
Josh Lee Avatar answered Sep 23 '22 08:09

Josh Lee