-
Notifications
You must be signed in to change notification settings - Fork 312
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Self hosted applications #1668
Comments
I would like to weigh in on this, since I have been running up against a very similar issue and use-case and I think there is an argument to be made that the web as a platform should care about this use-case. What's the issue?I have been prototyping a PWA meant to configure and control IOT devices on your local network. The specific devices are ESP32 MCUs that get provisioned through Improv and are running ESPHome. My intention is to provide a light-weight, low friction flow to provision, configure and control these devices that is independent from any additional infrastructure. In theory, the web seems like a great platform for this. Each of these IOT devices exposes a simple REST-full web API as well as an EventSource/SSE to push updates and events to the controlling client application. However even with SSL/TLS support on these devices a major issue remains, which is that the SSL/TLS certificate system heavily relies on the public DNS system for identity verification. Generally it's not really possible/convenient to acquire a commonly accepted certificate for the private address space or domains. While it is technically possible using custom root CAs and self-signed certificates, this approach is neither convenient nor particularly user-friendly. In theory it is possible to workaround these limitations by deploying a PWA on a SSL/TLS public web server and ask your users to change their UA settings to allow insecure content for that website. This will allow the PWA/website to establish mixed content connections to local IP addresses / hostnames (and everything else in the world). The steps involved are neither simple or easy to communicate and does expose both the application and users to threats way beyond locally deployed exploits. Not to mention, with that amount of friction involved one would probably rather prompt their users to install a native app out of their respective app store. Why should the web as a platform care?The IOT space in general is a growing market and for various reasons (performance, reliability, privacy as well as simple economics) there is a major push by almost all relevant players in this space to move to more local control and fulfillment. The web platform could be a strong contender to provide a transparent, low friction and open frontend for these systems. However to fill this role the web needs to somehow adapt to this new local world in which trust isn't provided through certificates and public DNS, but, I guess, by the fact that something exists in your own, local, (virtual) space. What needs to be done?I don't really have specific proposals. I frankly don' think I have sufficient knowledge in the web security space to make concrete suggestions. But ultimately I think some form of relaxing of secure origin / mixed content policies might be required. Obviously in a way that doesn't negatively affect the public web and that may require opt-in/be limited to local networks and/or includes whitelisting. For example, maybe a Service Worker or PWA can ask for the permission to access the local network (similar to how mobile platforms do this for native apps) and once granted can treat hosts in the private ip address and host name space as secure origins, like it already does out of the box for some very specific and limited number of hosts and protocols. Overall I am not trying to suggest any specific action or change, but would like to facilitate a discussion around if this is a use-case that the web platform should care about and try to support. While I'm more than happy to help explore options I think ultimately other people probably have a better understanding of what is possible and most suited to be done. |
Also, if you think this discussion should rather be had in a different forum (like for example w3c/webappsec-mixed-content or w3c/webappsec), please let me know. |
I found this Private Network Access Draft. Particular Permission Prompt is of interest to me and of relevance to this discussion. The draft links out to There is still no complete replacement for LAN plaintext connections, which has a valuable and productive discussion of the topic. |
I'm not sure whether this is the correct issue tracker or not.
Anyways, I wanted a self-hosted home inventory management PWA for people to find their items efficiently. I made it and now I found that this will never work, because of the strict rules that basically excludes my use case.
So first, the manifest.json requires a "start_url", and I didn't want this as my start url can vary based on the DHCP settings of my router. But I thought, ok it's just a minor inconvenience. I can make it fixed.
Secondly, PWA only runs in secure contexts. It means it has to be either localhost, or "secure" HTTPS. At this point I was getting angry, because why is it more secure to send my data through HTTPS to companies than my LAN where my data never leaves the building. And obviously I cannot register a cert for a
192.168.0.x
IP address, so I have to make a self-signed certificate. Which is fine, at least my LAN will be protected, so I kind of accepted the idea. So I made this. It worked well for desktops but not for mobile.It turned out that Android let's you install certificates, but those are only for VPNs, and basically chrome never gets that certificate.
So that's the end. I thought I can use PWA. But I can't.
Some possible solutions:
Good to have:
The text was updated successfully, but these errors were encountered: