Secure Contexts #602
Comments
|
I believe that
|
|
OK, that's a good observation. I guess for the purpose of this library, which always tries to use the best-available resource for generating randomness, the observed behavior is fine. I'm wondering what code paths our (browser) tests are testing though… I think we should investigate if they are loading the test page in a secure or insecure context (if we want to ensure that the native code path is covered). |
Very good point 👍 |
|
FWIW, 'looks like BrowserStack tests use HTTP: |
|
As far as I understand, APIs restricted to secure contexts are still available on localhost in insecure contexts… But still have to verify. |
|
I tried Browserstack live local testing with Chrome 95 and it indeed appears like
@bcoe does this match your expectations as well? |
|
From §3.1.5 of the Secure Context spec:
|
|
@ctavan Do you know if there's a way to configure our BrowserStack CI to use a non-localhost domain for testing? (like... add As you've said, it'd be nice to actually test the non-secure case. |
|
I haven’t investigated yet but I agree that we should try to establish test coverage for this case. |
|
It looks like browserstack serves a DNS entry for |
|
While I'd love to get insecure context testing in CI, I don't see a trivial path to that at the moment. Nor am I concerned enough to say this should hold up the v9 release. We can revisit if/when we miss a regression in a future release. I have every confidence our users will complain loudly when that happens. 😈 @ctavan If you feel this needs to be a v9 release blocker go ahead and reopen. |
Now that #600 has been merged, I just realized that given WICG/uuid#23 this change may actually have introduced a subtle breaking change in that in modern browsers v4 UUID generation will now only work in secure contexts.
How are we going to deal with this? (cc @LinusU)
The text was updated successfully, but these errors were encountered: