New issue
Advanced search Search tips

Issue 373032 link

Starred by 3 users

Issue metadata

Status: Fixed
Closed: Jun 2014
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug

Sign in to add a comment

Only expose WebCrypto to secure origins

Project Member Reported by, May 13 2014

Issue description

Comment 1 by, May 23 2014

Status: Started

Comment 2 by, May 23 2014

Pending review:
Project Member

Comment 3 by, Jun 10 2014

The following revision refers to this bug:

r175916 | | 2014-06-10T20:30:20.339412Z

Changed paths:

[webcrypto] Only allow crypto.subtle.* to be used from "secure origins".

The meaning of a secure origin is defined by:

In essence, "secure origins" are those that load resources either from the local machine or over the network from a cryptographically-authenticated server.

For example these are considered secure origins:
  * chrome-extension://xxx
  * https://xxx
  * wss://xxx
  * file://xxx
  * http://localhost/

Whereas these are considered insecure:
  * http://foobar
  * ws://foobar

crypto.subtle itself is visible from insecure origins. However all of its methods will fail by returning a rejected Promise for NotSupportedError.

BUG= 373032 ,  245025 ,  362214 

Review URL:

Comment 4 by, Jun 10 2014

Status: Fixed

Comment 5 by, Feb 22 2018

This item sounds like creating a bug, not fixing one.

Comment 6 by, Feb 22 2018

Restricting to secure origins is required by the Web Crypto spec (

In particular, see

Sign in to add a comment