40

In chrome version 47 they force you to use https to be allow using getUserMedia(). Unfortunately, I can't use https in my whole web, I only use it in the login rest (It a SPA - single page app). So, the address to the web is without https, only the login rest uses ssl. I use this repo with very little changes: https://github.com/Jmlevick/html-recorder

My question is if is there any way to use audio recorder in my web app and keep my web address with http and not https? what ideas do you have to overcome this issue?

Improve this question
1
  • dont have this on version 51. does anyone know which versions are affected? only 47? Commented Jul 6, 2016 at 12:28

2 Answers 2

Reset to default
88

getUserMedia allows you to listen in to the private conversations of the user. If it were enabled over unencrypted HTTP, this would allow an attacker to inject code that listens in and sends the conversations to the attacker. For example, if you if you are in a private conference room of a hotel with unencrypted WiFi, everybody in the vicinity of the hotel could listen in. Even if your app does not usually deal with sensitive conversations, an attacker could replace your code with theirs in order to listen in at a later time, when another app is in use.

Therefore, getUserMedia is only available from secure contexts. For testing, you can exempt your domain by starting Chrome with --unsafely-treat-insecure-origin-as-secure="example.com", or simply test under http://localhost/.

If you want your app to listen to the user's microphone, you must serve it via TLS. There is no way around it. If there were, it would be regarded as a security hole and fixed in the next version of the browsers.

HINT

You might have to add "http://" on the command line, e.g.: --unsafely-treat-insecure-origin-as-secure="http://example.com"

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Thanks! I understood the risk of sending audio in encrypted HTTP. Let put this issue a side for a second. Will it work if I use the recorder in an iframe with link to https recorder app that handle the audio recording inside my "http" app and post a message with the audio data from that iframe to his parent (my app) and then do some processing on the audio (even send it to the server in unsecured http)?
@Noampz No, because an attacker could modify the inner frame from the outer one. For more information, see the link on secure contexts.
Right now you can use getUserMedia() in firefox without any problems on http. Is it a really a mistake ? I feel like it's in the firefox policy to allow things like this.
@Teleporting Goat Firefox has not (yet) applied the secure context limitations on getUserMedia. That may be because secure contexts are a fairly recent addition in Firefox. If things like this includes service workers, Web Bluetooth and Encrypted Media Extensions, those are blocked within insecure contexts already.
this can also be set from chrome://flags/ under Insecure origins treated as secure
|
42

Also you can add whiltelist by opening chrome://flags and search for unsafely-treat-insecure-origin-as-secure:

chrome://flags/#unsafely-treat-insecure-origin-as-secure

Improve this answer

2 Comments

this fixed the issue for me
thanks, It worked for me, just add ip address into text fields and change status => relaunch chrome PC, mobile is still not working

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.