Description
Understanding Secure Contexts
Fireproof relies heavily on WebCrypto for its cryptographic operations. However, WebCrypto isn't universally available across all supported environments. Notably, common browsers disable WebCrypto when the context is http:// and the server address isn't a loopback (e.g., ::1 or 127.0.0.0/8). This is due to security measures enforced by Secure Contexts.
Fireproof utilizes WebCrypto through the following libraries:
- @adviser/cement
- multiformats
- @ipld/car
The @adviser/cement library offers an injectable WebCrypto abstraction, which means we could potentially use WebAssembly (WASM) for encryption, decryption, and digest methods. However, this approach could introduce new compatibility and support challenges.
The library's multiformats and @ipld/car also use WebCrypto (at least for digest methods to calculate a CID) but lack an internal abstraction for it. Due to ES module boundaries, simply injecting an alternative implementation into the browser's window object isn't feasible. The only way to replace their WebCrypto dependency would be to repackage these libraries, apply source code modifications via a codemod, and then rename them (similar to @fireproof/vendor). This solution would require ongoing maintenance and security monitoring.
For now, we've decided to remove this runtime requirement. If you need to use features that rely on WebCrypto, please obtain a certificate from Let's Encrypt and use HTTPS.