Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

neat tool. I would encrypt the payload type and extension tho

>Some browsers disable window.crypto on local files and non-TLS servers

which ones do that?



It is documented [1] as only being available in secure contexts, which is normally https:// but does include file:// urls. Testing now, it works for me in Chrome, Safari, Brave, and Firefox.

If you put:

    <script>
      window.crypto.subtle.generateKey(
        {name: "ECDSA", namedCurve: "P-256"},
        false, ["sign", "verify"])
      .then(function(key){alert(key.publicKey)})
    </script>
in a local HTML file and visit it in your browser, all four browsers alert with "[object CryptoKey]".

[1] https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subt...

[2] https://developer.mozilla.org/en-US/docs/Web/Security/Secure...


Brave and Safari that I know of.

i.e. if you run the creator with a simple HTTP server on localhost:8080 it'll block the fetch to localhost:8080/foo


for local files as well?


Yes.

If that wasn't the case, then "HTML virus" would be a thing: I send you an HTML file and, if you open it, it read files from your hard drive and uploads them to my server.


I should have clarified - I mean I was wondering if any browsers block fetch to remote URLs from local files

I do vaguely recall encountering some problem I didn't expect when I was making a tool contained in a local html file, but I dont remember which browser I was using at the time


The problem with your scenario is the reading the local files without permission, not the use of the crypto API.


You are right, I'm conflating 2 issues.

I'm pretty sure Brave was blocking window.crypto but can't remember if it was on a file or over plain HTTP


Blocking crypto on http:// is to spec (aside from localhost) and all the browsers do that.

Blocking crypto on file:// is not to spec, and testing above (https://news.ycombinator.com/item?id=34084526) none of the browsers do that.


It's been a while and I don't remember the details.

All I remember is that I was developing the secret 'creator' code using Brave (my default unsecured browser) and at some point I had to switch to Safari (which I normally save for trusted websites only).

It's possible it was a red herring, and I switched browser but the problem was something else I did at the same time.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: