I need to test a web application on localhost with a custom domain name es: my.domain.com using the HTTPS protocol (I'm using self signed certs).
I've setup a vhost in my httpd.conf and added an entry to my /etc/hosts file
127.0.0.1 my.domain.com
But Google Chrome block with an ERR_SSL_PROTOCOL_ERROR "this site can't provide a secure connection".
I tried to disable the security checks into the Chrome settings but nothing changed still got the ERR_SSL_PROTOCOL_ERROR problem.
Is it possibile to bypass this thing for develop purpose only?
Important: I can't change my domain name because of settings in order to make a Single Sign On works
Thanks
Related
I'm a front-end developer working on an application where the login/ response put a Session-Cookie on the client. The later request will be authorized since the user "logged in".
Starting from Chrome 80
All cookies without a SameSite attribute will be treated as if they had SameSite=Lax specified. In other words, they will be restricted to first-party only (server and client on the same domain).
If you need third-party cookies (server and client on different domains), then they must be marked with SameSite=None.
Restricted to first-party by default
Set-Cookie: cname=cvalue; SameSite=Lax
Allowed in third-party contexts
Set-Cookie: cname=cvalue; SameSite=None; Secure
For my application, I want the default behavior. My client and server running on the same domain in production. But in development I'm working from localhost (different domain).
Up until now, chrome had special flag under chrome://flags - SameSite by default cookies. I could Enable this flag on my development machine and the login passed. And in production, I didn't need this flag because I wanted the default behavior.
Starting from Chrome 91
The SameSite by default cookies flag was removed. This means that from this version I can't login into my app, without deploying it to production.
Does anybody knows how can I get the Session-Cookie while working from localhost. But still keeping the security of SameSite=Lax. If possible with client only changes, but if needed also with server changes.
Chrome DevTools - SameSite error message
Chrome 80 Flags menu - These flags removed in Chrome 91
Update
I tried to solve this by making the server use SameSite=None (development only).
This causes a different error: Connection isn't secure. This is because when using SameSite=None you are required to add the suffix Secure and of curse use HTTPS connection.
Secure connection has its own problems like having to pay for a Certificate in development.
Workaround: Downgrade Chrome
This is not a solution! just a temporary workaround for anybody like me how got his work halted due to this update.
Uninstall Chrome
Go to "Add or remove programs" and uninstall Chrome. Notice that user data like cookies and saved browser passwords may be lost.
Download Chrome v90 from slimjet.com, or from any other site. Then install Chrome.
Prevent auto-update Chrome, according to this StackOverflow solution: open C:\Program Files (x86)\Google\Update
rename the file GoogleUpdate.exe to GoogleUpdate2.exe.
This will cause Chrome to not find the update package.
Update Flags - Open Chrome and type: chrome://flags
Search #same-site-by-default-cookies and Disable the flag
I have found a way to fix it and share it with everyone :-)
Description appears in the issues section:
Specify SameSite=None and Secure if the cookie should be sent in
cross-site requests. This enables third-party use.
In the Developer Tools section, go to the Application tab, and on the left side to Cookies:
The cookie that you want to share with other domains, mark the Secure
check and in Samesite put None. Update the site tab locally and you
will be able to use the cookies that allow you to send through the
domain of origin
I hope this brightens your day
As of Chrome v107 (Nov 2022)
I had a similar issue, spent a few hours digging, and what I found is that the only solution for Chrome is to make your front-end connection secure, ie https (using a proxy for instance): Link
An alternative solution is to use Firefox and set: about:config > network.cookie.sameSite.noneRequiresSecure=false. This allows SameSite=None; Secure=false
In our case, we are able to also run our server locally on a different port and point our client app to that localhost address for development purposes.
For example, I have the client app running on localhost:1234 and sending requests to a local copy of the server running on localhost:5678. This ensures that cookies are set successfully since the client and server are now "SameSite".
Admittedly, this is perhaps more of a workaround than a solution, but I hope it helps in the short term.
If you want to perform "unsafe" CORS requests (which means performing a POST/PUT/DELETE request) you will need to modify the tomcat conf/context.xml file, to set sameSiteCookies to "none" instead of "lax".
...
<!-- default samesite cookies configuration, for CORS set sameSiteCookies to "none" and configure bundle for HTTPS -->
<CookieProcessor sameSiteCookies="none" />
...
You can set the SameSite attribute manually to "None" + tick "Secure" inside the devtools for development.
That way you would not have to modify your production environment (keep the cookies as SameSite=Lax).
I can't intercept requests made by Chrome version 73.0.3683.86 to my localhost site.
Local host site is running on IIS on http://127.0.0.3:80
Burp proxy lister is default one on 127.0.0.1:8080
Interception rules are default one as well
In my LAN settings, "Bypass proxy server for local addresses" is not enabled
When Interception is turned ON and I reload page in Chrome browser, no request is "caught" by Burp, my local site loads and only the external requests are intercepted, such as loading external scripts from CDN.
Also under "Proxy" > "HTTP History" there is only request to external sites, and all requests to http://127.0.0.3:80 are not recorded.
When I reload same page by Internet Explorer 11, initial GET request is intercepted by Burp, as expected. Also "Proxy" > "HTTP History" shows all the requests to local site http://127.0.0.3:80
What is the problem with the Chrome? Thanks!
Found the solution late yesterday. I am using the Chrome extension ProxySwitchy, but it doesn't matter if you use that or the system proxy configuration. The solution works the same way.
You can solve this problem by adding an entry in /etc/hosts file like below
127.0.0.1 localhost
127.0.0.1 somehostname
Now burp will intercept request from somehostname
Which version of Chrome are you using?
Have you tried using the FoxyProxy Chrome extension?
As a workaround, you could modify the hosts file on your machine.
I experienced the same issue when I upgraded from Opera 58.0 to 60.0. I think that this is Chrome related, because I've also experienced it in all other Chrome browsers. Opera 58 utilizes Chrome 71.0.3578.98. Opera 60 utilizes version Chrome 73.0.3683.103. Something was definitely updated in Chrome between these versions to cause this problem to happen.
You have to subtract the implicit bypass rules defined in Chrome (https://chromium.googlesource.com/chromium/src/+/master/net/docs/proxy.md#Implicit-bypass-rules)
Requests to certain hosts will not be sent through a proxy, and will
instead be sent directly.
We call these the implicit bypass rules. The implicit bypass rules
match URLs whose host portion is either a localhost name or a
link-local IP literal. Essentially it matches:
localhost
*.localhost [::1]
127.0.0.1/8
169.254/16
[FE80::]/10
https://chromium.googlesource.com/chromium/src/+/master/net/docs/proxy.md#Bypass-rule_Subtract-implicit-rules
Whereas regular bypass rules instruct the browser about URLs that
should not use the proxy, Subtract Implicit Rules has the opposite
effect and tells the browser to instead use the proxy.
In order to be able to proxy through the loopback interface, you have to add the entry
<-loopback>
in the list of hosts for which you don't want to a proxy. It is a bit confusing, indeed.
Make sure you haven't enabled socks proxy option, it happened with me too and i found the solution when i disabled the socks proxy option, just make sure it's disabled!
Example:
It helped me
I turned on this settings
When I'm developing using Node's http2 library (which only supports HTTPS, not HTTP), when I open localhost in Chrome, I get a warning screen:
Your connection is not private
Attackers might be trying to steal your information from localhost (for example, passwords, messages or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
You have to click "Advanced" then "Proceed to localhost (unsafe)". It gets annoying having to do this during development.
I generated a cert and key for localhost use according to the instructions for Node's http2 module. Is there any way to generate them in such a way that Chrome would actually accept them for localhost? Or is there another easy way to get rid of this warning?
(I'm aware of the option of launching Chrome with --ignore-certificate-errors but I'd prefer not to do this for all websites.)
Try the following:
In Chrome, put in chrome://flags/#allow-insecure-localhost in the address bar.
Enable the option that says "Allow invalid certificates for resources loaded from localhost".
Restart Chrome, and it should allow the site.
You can also type thisisunsafe once you put focus on the website
There are two options you can use to get rid of this annoying thing, which are:
Temporarily Disable SSL Warning
You can go to Google Chrome, input chrome://flags in the address bar and press the Enter key to access advanced settings.
In the next step, find the "Allow invalid certificates for resources loaded from localhost" option and enable it. This method is the same as using --ignore-certificate-errors attribute on your Google Chrome shortcut. It disables the SSL warning for all sites.
It's just a temporary solution and I wouldn't suggest to use this frequently.
(I'm aware of the option of launching Chrome with
--ignore-certificate-errors but I'd prefer not to do this for all websites.)
Install SSL On Your Localhost with OpenSSL
You can install SSL on your localhost with OpenSSL. By using this method, your localhost can run HTTPS without any issue at all. The tutorial is quite long with detailed instructions, you can read it at here.
Source: Fix Your Connection Is Not Private Error In Your Browser - ByteBiteBit.com
I tried too many techniques but nothing works at last i find it while i was learning Webapi.
i was unable to visit to any side beacuse of showing the Error "Your Connection is not Private"......
THE REASON IS You have to enable SSL on your Browser and how you can do it let me share the link..
Just follow the steps
https://www.youtube.com/watch?v=4hb6iD3nP6g&list=PL6n9fhu94yhW7yoUOGNOfHurUE6bpOO2b&index=16
chrome://flags/#allow-insecure-localhost in the address bar.
set it to Enabled
relaunch chrome
result
I have defined some virtual servers that until the last days were working fine.
Now they don't on Chrome, but there are no problems in firefox or safary.
I get this:
This webpage is not available
ERR_ICANN_NAME_COLLISION
Hide details
This site is using a new generic top-level domain (gTLD). If you have
used loc.dev to access an internal site in the past, contact your
network administrator.
I found as a solution:
Set the "Built-in Asynchronous DNS" to "Disabled" in chrome://flags, but the is no such flag in my chrome version ( 43.0.2357.81 )
Do you know a solution for this?
LE : If i move the site on the htdocs file and i go on the url http://localhost, it works. It seems that it has a problem only with virtualhosts.
Got the same issue after updating to the latest chrome version last night. I was getting a ERR_NAME_NOT_RESOLVED error only on google chrome for all of my virtual hosts. Here's how that looked.
Screen Shot-> DNS name not resolved error
Here's the fix I made.
Clear up the google DNS cache by typing this in the Chrome browser
chrome://net-internals/#dns
Screenshot -> Flushing Chrome DNS cache
You will see a button "Clear Host Cache". Press that DNS cache
will be flushed.
Keep this DNS window open. Now access the virtual host in the browser
for me it was http:/api.localhost. Once you do that you will see a
new entry in the DNS window. for me it was "localhost."
notice the period "." at the end of localhost that showed an error.
Last step is to simply add this entry as to your localhost file.
Your hosts file should be updated with an entry to resolve localhost. to 127.0.0.1:
# dont forget the trailing . !!!
127.0.0.1 localhost.
in the hosts file located at:
for linux : /etc/hosts
for windows : C:\Windows\System32\drivers\etc\hosts
Another solution for your case might be to ditch the .dev at the end of your local virtual host domain
This has to do with some new changes by google. ".dev" comes under google's TLD (In the corner of the internet where people care about DNS, there is a bit of an uproar at Google's application for over a hundred new top-level domains, including .dev)
Try this Use a domain name you own. Possibly using the full name like "localhost.dev.$yourdomain" could help you here depending on your setup.
With the 'chrome' I face the same issue because by mistake I comment out the
127.0.0.1 localhost from the host file, But 'Firefox' will work.
Just make sure your host file include
127.0.0.1 localhost
FIXING
Try contacting your system administrator.
ERR_ICANN_NAME_COLLISION.
if you are using magento and getting such error
just go to you database and search for core_config_data
click on it then check your web store name
change the store name
restart your wamp and fixed.
Worked for me:
chrome://net-internals/#hsts -> Domain Security Policy -> Delete domain security policies -> enter there localhost and press delete
Here is another catch for you, my virtual hosts in Windows hosts file were defined as:
127.0.0.1 bla.bla.bla.localhost
127.0.0.1 bla2.bla2.localhost
And actual server virtual host directives in Xamp Apache Vhosts file made it all work nicely in all browsers, but Chrome!
A simple fix - dont end with full "locahost" word, rename the vhosts to end with anything else, just "loc" did it in my case, all works in Chrome now!
Been having this problem with Version 56.0.2924.87 (64-bit) of chrome, attempting to access a vm by gset.localhost, just would not work.
Changed the url in the hosts file to gset.loc and it works fine.
The answer seems to be do not use localhost in your hosts file urls when attempting to access a virtual machine running on your machine using chrome.
All browsers - chrome, firefox, safari were not resolving my virtual host and kept re-directing to www.mysite.dev
After pulling my hair for hours - it turned out I just need to change mysite.dev to www.mysite.dev in the /etc/hosts file.
I'm using Advanced REST Client to test external API which requires me to specify
Connection: Keep-Alive. The connection fails (NO RESPONSE) and inspecting Chrome console I noticed Refused to set unsafe header "Connection" followed by net::ERR_INSECURE_RESPONSE
Is there any Chrome settings that allow me to override this? BTW, the API works when I use external tools like APIGee. I've tried Chrome CORS extension (Allow Control Allow Origin) but still unsuccessful.
The issue is that chrome is refusing to load a resource that has an invalid or expired SSL certificate. Even if you could get it to bypass that it would be a bad idea as it would make man in the middle attacks easier in your application.
My suggestion would be (if you trust the server or if it's running locally) to import that certificate to your store so it's trusted in your development environment. If the cert is expired and it's hosted locally look at the documentation on how to change the certificate or to add a self signed one (which you then also would add to your trusted sites)
How to add a self signed very to your store
For Mac
For windows
You'll have to restart chrome for it to see the certs in the store after doing this
Again, be sure you trust these certs origin as they'll be considered trusted as if a legit CA HAD issued them