FluidFramework: Absence of window.crypto.subtle in insecure browser contexts leads to a crash
When using insecure browser contexts, window.crypto.subtle is not present which results in an error “Cannot read property ‘digest’ of undefined” in the following code:
https://github.com/microsoft/FluidFramework/blob/ce53b6a335a8c79e4e5d0b5fe4dd71707ea7f09c/common/lib/common-utils/src/hashFileBrowser.ts#L38
This file has a comment suggesting to override the hashFn by calling setInsecureContextHashFn and that the algorithm should match the one used by hashFile. However, this does not seem like a very good user experience and its easy to get the hashFn wrong which results in error in unrelated places.
Also, if setInsecureContextHashFn is used to specify as hashFn, the app cannot be used in secure context because of the code here - https://github.com/microsoft/FluidFramework/blob/ce53b6a335a8c79e4e5d0b5fe4dd71707ea7f09c/common/lib/common-utils/src/hashFileBrowser.ts#L33.
This means an app can be used either in secure on insecure context. Is this an expected behavior?
We need to provide a better solution for this as this problem was faced recently by one of our users.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16 (12 by maintainers)
Commits related to this issue
- Do automatic hash algorithm fallback in common-utils (#6877) P1 of fixing #6757 History here is we had a function to override the hashing function to enable scenarios where people wanted to do stu... — committed to microsoft/FluidFramework by heliocliu 3 years ago
- update routerlicious deps on common-utils (#6884) Part ??? of fixing #6757 Going through bumping all the layers to use prerelease versions of common-utils following a change there. This change bum... — committed to microsoft/FluidFramework by heliocliu 3 years ago
- Update client/tinylicious to newest common-utils/server prerelease versions (#6890) Fixes #6757 Update client and tinylicious packages to use latest common-utils/server prerelease version. Tinylic... — committed to microsoft/FluidFramework by heliocliu 3 years ago
- Apmahade/testretrymongo (#7211) * Add assert short codes before release (#6852) * Upgrade socket.io in R11s from v2 to v4 (#6836) * Add ability to disable summarizer heuristics (#6841) * Add... — committed to microsoft/FluidFramework by appym31 3 years ago
@t-rkrosnick Helio has a PR out with the fallback fix for insecure contexts. This should be part of the next release (0.45) which will be out at end of next week.
@agarwal-navin probably time to go ahead with the fallback fix… i can go ahead and get that done this week.