Nw.js: SSL "--allow-running-insecure-content" won't work with chromium-args [$5]
Our app requires SSL through Node-Webkit while it does authentication. After authentication an iframe is created with SSL to prevent MIMA (man in the middle attacks) of Session ID's and leakage of other information.
When loading resources ranging from images or YouTube videos inside SSL iframe. Node-Webkit prevents loading non ssl resources even with a --allow-running-insecure-content chromium-argument.
This really halts our development and it's a _little_ frustrating seeing --allow-running-insecure-content is a valid argument that works with Chromium. So.. assuming it was valid we started development. :sweat:
I guess we should have checked to see if nwjs supported SSL connection fully (our fault) before starting development, theres even an issue about this back in 2013 https://github.com/nwjs/nw.js/issues/1113
Your help or suggestions are very much appreciated, even a work around would be nice!
Bug Reproduce-able on 11.6
Did you help close this issue? Go claim the $5 bounty on Bountysource.
mscreenie
All 29 comments
If you need to reproduce the bug then load any website over SSL with nw-js, the site must try and load non-ssl resources.
Example site / src https://www.rackspace.co.uk
Loaded with Chrome 40 and you will see the "Load Unsafe Scripts" bubble which you can accept _or_ if you start Chrome with --allow-running-insecure-content the unsecured content will be loaded fine.
But do the same with nw-js and inspecting network resources you will see the same unsecured files are omitted from loading and the site does not work properly, there is no way to load the unsecured resources.
affects: nw-js version: 11.6 + 12.00 alpha 3
mscreenie
on 23 Feb 2015
I'll post some code on how to reproduce
mscreenie
on 27 Feb 2015
thanks for reporting. will see this before the next release.
rogerwang
on 28 Feb 2015
We've dropped SSL altogether for the time being because we've migrated from 11.6 to 12.
Another problem is loading Fonts from Google or a cdn, no fonts will load or any resource infact from normal http if https is used.
mscreenie
on 16 Mar 2015
@rogerwang would it be possible to get an approx eta for this fix?
(appreciate your work - so far allowed us to create a whole new venture)
mscreenie
on 13 Apr 2015
@mscreenie will see this this week. Thanks for your patience.
rogerwang
on 14 Apr 2015
Look forward to it, thanks for committing to an ETA. @rogerwang _hug_
mscreenie
on 14 Apr 2015
Please find the binaries in http://dl.nwjs.io/live-build/04-14-2015/a77b085-0aa4273-be948af-459755a-2bdc251-1764a45/
rogerwang
on 14 Apr 2015
Successfully loaded non SSL resources over a SSL iframe, confirmed as working :)
We're extremely grateful for your hard work and efforts, may only goodness come to you. Thanks!
mscreenie
on 14 Apr 2015
Hi, don't work for me... console says: Failed to load resource: net::ERR_INSECURE_RESPONSE
in my package there is:
{
"main": "index.html",
"name": "nw_test",
"description": "Optimize application",
"version": "1.0.0",
"keywords": [ "nw", "node-webkit" ],
"window": {
"toolbar": false,
"icon": "drk_browser.png",
"position": "center",
"min_width": 800,
"min_height": 500,
"as_desktop": true,
"resizable": true,
"frame": true,
"chromium-args": "--allow-running-insecure-content"
},
"webkit": {
"plugin": true,
"page-cache": true
}
}
r1si
on 23 Apr 2015
I'll run a test to see if I can reproduce.
Make sure you've downloaded the binaries @rogerwang has provided. Also post your app code.
mscreenie
on 25 Apr 2015
here my app code:
index.html
<!doctype html>
<html style="height: 100%;overflow: hidden;">
<head>
<meta charset="UTF-8">
<title>DkR Browser v. 1.0.0</title>
<link type="text/css" rel="stylesheet" href="css/materialize.min.css" media="screen,projection"/>
<link type="text/css" rel="stylesheet" href="css/materializecss_dkr.css" media="screen,projection"/>
</head>
<body style="margin: 0;height: 100%;overflow: hidden;">
<div class="navbar-fixed navbar-desktop" style=" -webkit-app-region: drag; ">
<nav style="background-color: #252525;">
<div class="nav-wrapper row">
<div class="col s12 m12" style="padding-right: 0;">
<a href="#" class="navbar-desktop-title">DkR Browser v. 1.0.0</a>
<ul class="right">
<!--@TODO fare la ricerca nelle opzioni se diventano molte-->
<li class="navbar-desktop-button"><a href="#" onclick="win_immersive();"><i class="mdi-navigation-fullscreen"></i></a></li>
<li class="navbar-desktop-button"><a href="#" onclick="win_minimize();"><i class="mdi-content-remove"></i></a></li>
<li class="navbar-desktop-button"><a href="#" onclick="win_maximize();"><i class="mdi-action-flip-to-front"></i></a></li>
<li class="navbar-desktop-button"><a href="#" onclick="win_close();"><i class="mdi-navigation-close"></i></a></li>
</ul>
</div>
</div>
</nav>
</div>
<!-- self signed ssl -->
<iframe id="page_cnt" src="https://example.com" style="width:100%;height:-webkit-calc(100% - 29px);border:0;padding:0" nwUserAgent="DKRBRO" nwfaketop></iframe>
<!--nwfaketop nwUserAgent="DKRBRO"-->
<!--<iframe src="http://www.laboncloud.it/test.html" style="width:100%;height:100%;border:0;padding:0" nwfaketop></iframe>-->
<script type="text/javascript" src="js/jquery.min.js"></script>
<script type="text/javascript" src="js/materialize.js"></script>
<script type="application/javascript" src="js/laod_cfg.js"></script>
<script>
/*
* INIZIO MAIN
*/
// Carico la libreria d'interfaccia
var gui = require('nw.gui'); //or global.window.nwDispatcher.requireNwGui() (see https://github.com/rogerwang/node-webkit/issues/707)
var win = gui.Window.get();
// Dichiaro le altre finestre aperte
var win_option, win_info;
win.maximize();
// Eseguo la funzione di override delle opzioni
</script>
</body>
</html>
I try but don't work... always same error.. the binaries version is:
nw.js v0.12.1
io.js v.1.2.0
Chromium 41.0.2272.76
commit hash: a77b085-0aa4273-be948af-459755a-3bdc251-1764a45
Thanks in advance...
r1si
on 26 Apr 2015
What are you loading inside the SSL Iframe?
Try loading a non-ssl image , js or css hosted on a cdn or your own server. See if it loads. When I tested a few weeks ago it worked.
Also ensure you have a valid SSL cert, Green in Chrome, otherwise your app will not work unless you use another chrome flag to ignore SSL cert errors. I don't advise this in production environments, this could allow for MIM attacks. I personally have used this but only during dev. Doesn't make sense to use elsewhere as it would defeat the purpose of SSL.
mscreenie
on 26 Apr 2015
Thanks for tip @mscreenie
If I try to load a valid ssl (green in chrome) page it works.
But I need to allow a self signed SSL certificate (red in chrome).
I put --ignore-certificate-errors in chrome args but still dont work... :(
here new manifest chrome args
"chromium-args": "--allow-running-insecure-content --ignore-certificate-errors"
r1si
on 26 Apr 2015
Try
--remember-cert-error-decisions
--ignore-certificate-errors
--ignore-urlfetcher-cert-requests
I've tested the second with a self signed ssl served over LAN, generated for ligttpd. Worked like a dream. There are variations in self signed certs too and Chromium may be a little sensitive. Just ensure your self signed cert isnt giving you any other errors in your browser.
mscreenie
on 26 Apr 2015
I try with that params but still don't work :(
mmmm....
let's do it like this...
could you try to compile with this url inside iframe? https://www.pcwebshop.co.uk/
If your code work can you post here manifest and appcode?
with this method I can debug my code...
Thanks you a lot @mscreenie
r1si
on 27 Apr 2015
Sure, I'll do this when I return to my office. But here is what my self signed cert looks like in Chrome. What error message do you get when you try to load that URL in nwjs? Does it load at all?
mscreenie
on 27 Apr 2015
nwjs show this error:
Failed to load resource: net::ERR_INSECURE_RESPONSE
and I did show nothing, only white screen.
Thanks for your try !
r1si
on 27 Apr 2015
Just tried and works. Have you downloaded the latest binaries?
I was able to reproduce your error when the Chrome arg was not present.
mscreenie
on 27 Apr 2015
Mmm I supposed there is a problem with my code, because the binaries is the latest...
(I am using mac osx.... You use windows???)
Can you give me your test app code? So I can test your same code on mac and on windows ...
if you don't want post here, I give you my mail address elia.[email protected].
Thanks a lot!!
r1si
on 27 Apr 2015
I'm using Win 8.1 32 bit , Download this binary and try it http://dl.nwjs.io/live-build/04-14-2015/a77b085-0aa4273-be948af-459755a-2bdc251-1764a45/nwjs-v0.12.1-win-ia32.zip
mscreenie
on 27 Apr 2015
I have tried but still dont work :(
I have created a simple test app that reproduce the problem...
here the binaries.
only two file: package.json
{
"main": "index.html",
"name": "https test",
"description": "bla bla",
"version": "1.0.0",
"keywords": [ "DkR", "node-webkit" ],
"window": {
"toolbar": false,
"icon": "",
"position": "center",
"min_width": 800,
"min_height": 500,
"as_desktop": true,
"resizable": true,
"frame": true,
"chromium-args": "--remember-cert-error-decisions --ignore-certificate-errors --ignore-urlfetcher-cert-requests"
},
"webkit": {
"plugin": true,
"page-cache": true
}
}
and index.html
<!doctype html>
<html style="height: 100%;overflow: hidden;">
<head>
<meta charset="UTF-8">
<title>https test</title>
</head>
<body style="margin: 0;height: 100%;overflow: hidden;">
<iframe id="page_cnt" src="https://www.pcwebshop.co.uk/" style="width:100%;height:-webkit-calc(100% - 29px);border:0;padding:0" nwUserAgent="DKRBRO" nwfaketop></iframe>
<script>
var gui = require('nw.gui'); //or global.window.nwDispatcher.requireNwGui() (see https://github.com/rogerwang/node-webkit/issues/707)
var win = gui.Window.get();
win.maximize();
win.showDevTools();
</script>
</body>
</html>
and the result is this on macosx (on your binaries)
and this on windows x64
hope it helps to debug this :(
@rogerwang any ideas?
thanks a lot
r1si
on 27 Apr 2015
Hi @mscreenie any news about code?
r1si
on 5 May 2015
try this
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';
On Tue, May 5, 2015 at 10:02 PM, r1si [email protected] wrote:
Hi @mscreenie https://github.com/mscreenie any news about code?
—
Reply to this email directly or view it on GitHub
https://github.com/nwjs/nw.js/issues/3123#issuecomment-99059607.
shaynem
on 12 May 2015
The binaries provided by rogerwang are now no longer available
(http://dl.nwjs.io/live-build/04-14-2015/a77b085-0aa4273-be948af-459755a-2bdc251-1764a45/)
Whats the current state of this? Is this fix included in any of the recent branches?
I've just tried the latest dev branch downloads and it didn't seem to work.
Many thanks :)
jamesabbottsmith
on 29 Aug 2015
It seems to be working for me in 12.3 build. I'm developing on this build, just tried embedding a non-ssl image and it works OK. http://dreamatico.com/data_images/cat/cat-6.jpg
mscreenie
on 29 Aug 2015
@r1si I met the same problem with you. I spent half a day to find out the reason. Now, it works well in my environment. Share to you:
Just add this line in package.json.
{
...
"chromium-args": "--ignore-certificate-errors"
"window": ....
...
}
Please note: "chromium-args" is not a sub element of "window". it is same level as "window".
clyang82
on 16 Sep 2015
@clyang82
Thanks for the effort, It works on 0.12.3-win-x64.
Now I can use it on my self signed SSL certificate. :)
nwcclink0
on 23 Dec 2015
Basically you need to use:
"chromium-args": "--allow-running-insecure-content --ignore-certificate-errors",
The import thing is that:it has to go outside of the window object (e.g. after name property) in the package.json file.
eg:
{
"name": "test",
"chromium-args": "--enable-file-cookies --allow-running-insecure-content --ignore-certificate-errors",
"main": "index.html",
"version": "0.1.0",
"window": {
"title": "test",
"icon": "images/login_bg.png",
"toolbar": true,
"frame": true,
"width": 1180,
"height": 820,
"position": "center",
"min_width": 960,
"min_height": 660
}
}
hxzqlh
on 15 Jan 2016
Related issues
rumax
·
4Comments
sorty-zz
·
4Comments
imyzf
·
4Comments
bambooCZ
·
3Comments
gengshenghong
·
3Comments