WebApps icon indicating copy to clipboard operation
WebApps copied to clipboard
verified publisher icon tobykurien

Allow insecure HTTP for local hosts

Open chaptergy opened this issue 6 years ago • 8 comments

Hey,

I know whitelisting some domains or giving the option to globally allow HTTP requests has been talked about and decided against, however I haven't seen it anywhere to allow it for local network hosts. For example if I have a device in my local network which publishes a web frontend in my local network, for which I am unable add HTTPS encryption, I can't add them as a webapp.

A solution would be to add the option to allow insecure requests to any 192.168.*.* host.

Thanks!

chaptergy avatar Aug 11 '19 12:08 chaptergy

Agree that it would be useful, but just letting you know also that it isn't difficult to use HTTPS locally. You can generate your own self-signed certificates, and accept the certificate when WebApps warns you about it.

tobykurien avatar Aug 12 '19 18:08 tobykurien

Please note that there are some really tiny devices, e.g. MCU-based. SSL is really a burden or impossible for them.

ildar avatar Aug 13 '19 00:08 ildar

You can have both HTTP and HTTPS enabled at the same time on your local server (this is usually the default).

tobykurien avatar Aug 13 '19 04:08 tobykurien

You might get me wrong. I mean: some servers are so light they don't have SSL/TLS at all.

ildar avatar Aug 13 '19 06:08 ildar

Aah ok, that's true. I get my microcontrollers to post the data to a Raspberry Pi and then serve it up from there.

tobykurien avatar Aug 13 '19 06:08 tobykurien

You can generate your own self-signed certificates, and accept the certificate when WebApps warns you about it.

I've tried several methods found on web, but I never get any warning or chance to accept self-signed certificate. Instead, I get small error info with text something like "Trust anchor for certification is invalid" which vanishes after some short time and the url is not accepted. Can you please help?

tomhanax avatar Jan 10 '20 19:01 tomhanax

It seems newer versions of Andoid (7+) don't allow trusting unknown CA's, and the answer seems to be to hardcode the CA certificate in the app. Clearly this can't be done with WebApps. I don't know of a solution currently. You can try going to Android Settings > Security > Install fom SD card, and try installing your CA certificate. Let us know if that works.

tobykurien avatar Jan 15 '20 00:01 tobykurien

Thank you for response. I already tried installing server certificate and also authority certificate through system settings. Unfortunately it seems that it works only for VPN / Wifi - not for https. It is very unfortunate. I can see 2 possible options:

  1. allow http for specific webapp - I know this was rejected before, but maybe it's again time to reconsider.
  2. implement importing certificate through WebApps - I suppose Android application can manage it's own truststore.

I am sure that I am not only one with this problem, I know that implementing option 2 will be a nontrivial work, so maybe implementing options 1 with explicit user consent will be at least considerable?

tomhanax avatar Jan 15 '20 07:01 tomhanax