如何在Chrome中为不安全来源启用crypto.subtle? [英] How to enable crypto.subtle for unsecure origins in Chrome?

问题描述

在Chrome 60中，他们添加了一个功能，该功能为非TLS连接禁用了crypto.subtle.为了安全起见，我们的产品需要运行本地服务器，并将一些安全的远程连接转发到localhost.因为localhost在技术上不是命名域，所以我们不能使用TLS-有效地使crypto.subtle在Chrome(和基于铬的浏览器，如Opera)中不可用，并迫使我们使用不太安全的填充程序，例如 asmCrypto .js .有没有办法告诉Chrome通过标头启用crypto.subtle?有什么方法可以在我们可以告诉用户的设置中禁用新的功能(最坏的情况)?

In Chrome 60, they added a feature that disables crypto.subtle for non-TLS connections. Our product needs to run a local server and forward some secure remote connections to localhost for security reasons. Because localhost isn't technically a named domain, we cannot use TLS--effectively making crypto.subtle unusable in Chrome (and chromium-based browsers like Opera), and forcing us to use a less secure shim like asmCrypto.js. Is there any way to tell Chrome to enable crypto.subtle through headers? Is there any way to disable the new feature in the settings that we can tell users about (worst case scenario)?

推荐答案

在Chrome 60中，他们添加了一项功能，该功能可为非TLS连接禁用crypto.subtle

In Chrome 60, they added a feature that disables crypto.subtle for non-TLS connections

不完全是，自第一个受支持的版本(chrome 32?)以来，对于非安全来源禁用了crypto.subtle

Not exactly, crypto.subtle is disabled for non-secure origins since first supported version (chrome 32?)

但是localhost被认为是安全来源

But localhost is considered a secure origin https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features

安全来源"是指至少与以下(方案，主机，端口)模式之一匹配的来源:

"Secure origins" are origins that match at least one of the following (scheme, host, port) patterns:

• (https，*，*)

• (https, *, *)

(wss，*，*)

(*，localhost，*)

(*, localhost, *)

(*，127/8，*)

(*, 127/8, *)

(*，:: 1/128，*)

(*, ::1/128, *)

(文件，*，—)

(chrome扩展名，*，—)

(chrome-extension, *, —)

因此您应该可以在 http://localhost上使用Web Cryptographi Api.

So you should be able to use Web Cryptographi Api on http://localhost.

您是否在网站上使用HTTPS?可能是您遇到了与混合HTTPS和HTTP有关的问题. Chrome浏览器将阻止与本地主机的HTTP连接.然后，您可以为127.0.0.1生成一个自签名证书，并使用HTTPS启动本地服务器(类似于@SLaks答案，但是您不需要hosts条目

Are you using HTTPS for your site? It could be that you had a problem related to mixing HTTPS and HTTP. Chrome will block the HTTP connection to localhost. Then you could generate a self-signed certificate for 127.0.0.1 and launch your local server with HTTPS (similar to @SLaks answer but you will not need a hosts entry )

这篇关于如何在Chrome中为不安全来源启用crypto.subtle?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！