不使用https而使用chrome 47中的getUserMedia（） [英] getUserMedia() in chrome 47 without using https

问题描述

在chrome版本47中，他们强迫你使用https来允许使用getUserMedia（）。
不幸的是，我无法在整个网络中使用https，我只在登录时使用它（它是SPA - 单页应用程序）。所以，网络的地址没有https，只有登录休息使用ssl。
我用这个回购几乎没有变化：
https://github.com/Jmlevick/html-recorder

我的问题是，如果有什么方法可以在我的网络应用程序中使用录音机，并使用http而不是https保留我的网址？你有什么想法来克服这个问题？ 解决方案

getUserMedia 允许您监听进入用户的私人对话。如果它是通过未加密的HTTP启用的，这将允许攻击者注入侦听代码并将对话发送给攻击者。例如，如果您在酒店的私人会议室中使用未加密的WiFi，则酒店附近的每个人都可以收听。即使您的应用通常不处理敏感对话，攻击者也可以用您的代码替换他们为了在晚些时候监听另一个应用程序的使用情况。

因此， getUserMedia 是只能通过安全上下文获取。对于测试，您可以通过以启动Chrome来免除您的域名 - unsafely-treat-insecure-origin-as-secure =example.com http：// localhost / 。

如果您希望自己的应用听用户的麦克风，它通过TLS。没有其他办法了。如果有的话，它会被视为安全漏洞，并在下一版本的浏览器中修复。

In chrome version 47 they force you to use https to be allow using getUserMedia(). Unfortunately, I can't use https in my whole web, I only use it in the login rest (It a SPA - single page app). So, the address to the web is without https, only the login rest uses ssl. I use this repo with very little changes: https://github.com/Jmlevick/html-recorder

My question is if is there any way to use audio recorder in my web app and keep my web address with http and not https? what ideas do you have to overcome this issue?

解决方案

getUserMedia allows you to listen in to the private conversations of the user. If it were enabled over unencrypted HTTP, this would allow an attacker to inject code that listens in and sends the conversations to the attacker. For example, if you if you are in a private conference room of a hotel with unencrypted WiFi, everybody in the vicinity of the hotel could listen in. Even if your app does not usually deal with sensitive conversations, an attacker could replace your code with theirs in order to listen in at a later time, when another app is in use.

Therefore, getUserMedia is only available from secure contexts. For testing, you can exempt your domain by starting Chrome with --unsafely-treat-insecure-origin-as-secure="example.com", or simply test under http://localhost/.

If you want your app to listen to the user's microphone, you must serve it via TLS. There is no way around it. If there were, it would be regarded as a security hole and fixed in the next version of the browsers.

这篇关于不使用https而使用chrome 47中的getUserMedia（）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！