[Poll] do you use http or https?

[jimmywarting]

As the tile says:

Do you use StreamSaver.js on secure (https) or insecure (http) in production websites?

• click 🎉 for https (secure)
• click 👀 for http (insecure)

I'm just curious if folks are using StreamSaver's popup hack that is required by insecure pages. I could include google analytics on gihub pages but i'm not going to do that as i value everyones privacy

▼Vote with reaction▼
^{(you can choose both)}

[TexKiller]

Quick information: Web Extensions on Firefox run as if they were http (insecure) pages, so, according to my tests, without the popup trick those extensions would be incapable of using the library.

[jimmywarting]

@TexKiller, hmm, i think FF web extension should be considered secure? Perhaps it can work with a iframe solution if we just detect it?

Current detection is:

  const secure = location.protocol === 'https:' ||
                 location.protocol === 'chrome-extension:' ||
                 location.hostname === 'localhost'

Maybe it will work in some background file (if it's a extension)

I don't know much about firefox extensions, perhaps it's possible to install the sw.js within a iframe or maybe it isn't

I found one list of secure origins

• (https, *, *)
• (wss, *, *)
• (*, localhost, *)
• (*, 127/8, *)
• (*, ::1/128, *)
• (file, *, —)
• (chrome-extension, *, —)

And a chrome flag

• --unsafely-treat-insecure-origin-as-secure="example.com"

[jimmywarting]

according to this spec a popup like mine should be considered insecure? therefore i should not be able to install a sw.js? but if i added "noopener" to my open command it's fine?

window.open("https://example.com/", "", "noopener")

[jimmywarting]

Oh, found something interesting in the spec 🙂

window.isSecureContext

[TexKiller]

@jimmywarting, Web Extensions on Firefox run from the moz-extension protocol (in chrome they run from the chrome-extension protocol). In my tests I was incapable of getting a Service Worker to intercept any requests if it is created on an iframe there. I'll create an example extension and put here shortly.

[jimmywarting]

could you also test the isSecureContext if it 's a boolean and what the value is while you are at it?

[TexKiller]

Sure thing :)

Steps to test it:

1. Download the sample extension here: https://texkiller.eu.org/StreamSaver/moz-extension/StreamSaver.js-moz-extension.zip
2. Extract it to some folder
3. Navigate to this URL in Firefox: about:debugging#addons
4. Click on "Load Temporary Add-on..."
5. Navigate to the folder where you extracted the files and choose manifest.json
6. The extension is loaded. Now click on the green down arrow icon that has appeared on the toolbar to the upper right
7. A test page is now open, with a button to test the behaviour of the library. The button label will tell the value of window.isSecureContext (it is true here on Firefox v65.0).

The included StreamSaver.js file is the same as in this repository, except for the following condition added to the secure context detection to make it run inside an iframe:
location.protocol === 'moz-extension:'

[TexKiller]

While running this sample extension here on Firefox v65.0 everything goes well until after I click the button: when it is time to navigate to the "intercept-me-nr" URL and start the download the Github 404 page is shown instead of the download.

You can modify the files on the extension folder and just reload the test page to try different things, if you want.

[TexKiller]

I didn't know this "noopener" parameter. While interesting, it seems pointless here since we won't have any way to communicate with the Service Worker from the insecure page and register the download (it "unsets" window.opener).

After tinkering a lot with the Web Extension on Firefox I have found one way that works, but it involves the Shared Worker from PR #86 and some other tweaks. I can make a sample extension for it too, but it should take some more time since I have to clean up my test code.