aframe icon indicating copy to clipboard operation
aframe copied to clipboard

Published 20 hours ago verified publisher icon aframevr

Replace the HTTPS check with `window.isSecureContext`?

Open maudnals opened this issue 4 years ago • 6 comments

Description:

  • A-Frame Version: latest
  • Platform / Device: all
  • Reproducible Code Snippet or URL: /

Bug: When running an A-Frame app locally on localhost.myapp:8080 on a browser that supports it e.g. Chrome, the alert saying that sensor APIs are not available is displayed. Expected behaviour: no alert, because localhost.myapp:8080 is a SecureContext, so sensor APIs are available.

Analysis/Assumption:

  • According to MDN documentation, device sensors require a SecureContext. I.e. localhost (= 127.0.0.1), or an app running on https.
  • However, right now, the check to display an alert is made "heuristically" / by looking at the URL as a proxy to determine whether this is a SecureContext.

Other issue:

  • The alert text says "Access this site over HTTPS to enter VR mode and grant access to the device sensors" when in fact device sensor access is not about HTTPS (in my understanding!). Rather, it's about SecureContexts, which is a bit different.

Suggestion:

  • Replace the check with the dedicated call window.isSecureContext? and
  • Replace the alert text?

Let me know if this makes sense! Especially: is the MDN list comprehensive, or am I omitting a range of sensor APIs that do need HTTPS?

maudnals avatar Sep 01 '20 16:09 maudnals

I always develop using localhost:8080 and the dialog doesn't show up. What's different about localhost.myapp:8080?

dmarcos avatar Sep 01 '20 16:09 dmarcos

Nothing should be different, exactly, because it is a SecureContext(so the dialog shouldn't show up afaiu). But the check fails, because the implementation only checks against localhost:

https://github.com/aframevr/aframe/blob/7d289e8fb28f2c2895ba49200f502257110d5050/src/components/scene/device-orientation-permission-ui.js#L29

So the dialog shows up.

maudnals avatar Sep 01 '20 16:09 maudnals

I see. PRs are welcome

dmarcos avatar Sep 01 '20 16:09 dmarcos

Commenting on the original issue. While window.isSecureContext might be the way. Changing the message will make things more confusing. Secure Context is not understood by the avg. user while http / https while technical is a more familiar term. I'm myself not sure of what a Secure Context means and I've been doing web dev for quite a while now 😄

dmarcos avatar Oct 24 '20 00:10 dmarcos

Since this is still open, please allow for a simple way to turn this off. So I can build serve on my workstations localhost, then test from my local network phone i.e. connecting to 192.168.1.69:8100

theisen1337 avatar Mar 06 '22 04:03 theisen1337

There already is a way to easily turn this off, right? https://github.com/aframevr/aframe/blob/7d289e8fb28f2c2895ba49200f502257110d5050/src/components/scene/device-orientation-permission-ui.js#L22

machenmusik avatar Mar 06 '22 16:03 machenmusik