mprimi · TeddyBear06 · Feb 8, 2023 · Feb 8, 2023 · Feb 8, 2023 · Feb 8, 2023
diff --git a/creator/index.html b/creator/index.html
@@ -13,6 +13,12 @@
       margin: 5px;
     }
 
+    .danger {
+      background-color: lightcoral;
+      border: 2px dotted red;
+      padding: 12px 20px;
+    }
+
     button {
       font-size: large;
       padding: 12px 20px;
@@ -38,6 +44,13 @@
   const iterations = 1000000 // key derivation (with PBKDF2)
   const keySize = 32 // bytes (derived with PBKDF2, used by AES)
 
+  // Display a warning if the context is not considered as "secure" by the browser
+  async function checkSecureContext() {
+    if (! window.isSecureContext) {
+      document.getElementById("danger_text").hidden = false
+    }
+  }
+
   const inputElementIds = {
     "message": "text_input_div",
     "image": "image_input_div",
@@ -47,6 +60,8 @@
   let selectedInputType = ""
 
   async function init() {
+    // Try to detect insecure contexts as soon as possible
+    await checkSecureContext()
     await refreshSalt()
     await refreshIV()
     setMessage("Select secret type: message, image, or file")
@@ -303,6 +318,11 @@ <h1><a href="https://mprimi.github.io/portable-secret/">Portable Secret</a>: Sec
     But don't take my word for it. Check out the <a href="https://github.com/mprimi/portable-secret/tree/main/creator" target="_blank">source code</a>!
   </p>
 
+  <div id="danger_text" class="danger" hidden>
+    The current browser context is not considered as "secure" and portable-secret won't work properly.<br>
+    Use one of <code>HTTPS</code>, <code>localhost</code> or <code>file://</code> context (please read <a href="#">this link</a> for more informations).
+  </div>
+
   <!-- Inputs -->
 
   <div>

diff --git a/creator/secret-template.html b/creator/secret-template.html
@@ -38,6 +38,12 @@
     font-family: monospace;
   }
 
+  .danger {
+    background-color: lightcoral;
+    border: 2px dotted red;
+    padding: 12px 20px;
+  }
+
   .decrypted {
     background-color: palegreen;
     border: 2px dotted forestgreen;
@@ -67,8 +73,16 @@
   }
   </style>
   <script>
+  // Display a warning if the context is not considered as "secure" by the browser
+  async function checkSecureContext() {
+    if (! window.isSecureContext) {
+      document.getElementById("danger_text").hidden = false
+    }
+  }
   // Display the encryption inputs on the page (invoked during body onload)
   async function loadValues() {
+    // Try to detect insecure contexts as soon as possible
+    await checkSecureContext()
     document.getElementById("secret_type").innerHTML = secretType
     document.getElementById("salt").setAttribute("value", saltHex)
     document.getElementById("iv").setAttribute("value", ivHex)
@@ -223,6 +237,11 @@ <h3>Created with <a href="https://mprimi.github.io/portable-secret/">Portable Se
     The secret can be decrypted without an internet connection, this file has no dependencies and no data leaves the browser window.
   </p>
 
+  <div id="danger_text" class="danger" hidden>
+    The current browser context is not considered as "secure" and portable-secret won't work properly.<br>
+    Use one of <code>HTTPS</code>, <code>localhost</code> or <code>file://</code> context (please read <a href="#">this link</a> for more informations).
+  </div>
+
   <div>
     <h4>Password hint:</h4>
     <pre class="hint">{{PASSWORD_HINT}}</pre>