-
-
Notifications
You must be signed in to change notification settings - Fork 915
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure Contexts #602
Comments
OK, that's a good observation. I guess for the purpose of this library, which always tries to use the best-available resource for generating randomness, the observed behavior is fine. I'm wondering what code paths our (browser) tests are testing though… I think we should investigate if they are loading the test page in a secure or insecure context (if we want to ensure that the native code path is covered). |
Very good point 👍 |
As far as I understand, APIs restricted to secure contexts are still available on localhost in insecure contexts… But still have to verify. |
I tried Browserstack live local testing with Chrome 95 and it indeed appears like @bcoe does this match your expectations as well? |
From §3.1.5 of the Secure Context spec:
|
@ctavan Do you know if there's a way to configure our BrowserStack CI to use a non-localhost domain for testing? (like... add As you've said, it'd be nice to actually test the non-secure case. |
I haven’t investigated yet but I agree that we should try to establish test coverage for this case. |
It looks like browserstack serves a DNS entry for |
While I'd love to get insecure context testing in CI, I don't see a trivial path to that at the moment. Nor am I concerned enough to say this should hold up the v9 release. We can revisit if/when we miss a regression in a future release. I have every confidence our users will complain loudly when that happens. 😈 @ctavan If you feel this needs to be a v9 release blocker go ahead and reopen. |
Now that #600 has been merged, I just realized that given WICG/uuid#23 this change may actually have introduced a subtle breaking change in that in modern browsers v4 UUID generation will now only work in secure contexts.
How are we going to deal with this? (cc @LinusU)
The text was updated successfully, but these errors were encountered: