Latest news coming from iOS-> https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/
Anybody from google-drive-sdk support can tell if there is a plan to support https for Realtime APIs soon?
You can run realtime APIs in https URIs. I don't see any problem with that. HTTPS is referring to website security. It's an added encryption layer of SSL/TLS to protect the traffic. So it should be ok.
If you check the Google Realtime API, you can see https is always used.
A Googler even runs his realtime API samples in HTTPS in this video.
Note: Transitioning from HTTP to HTTPS doesn't magically happen. Here's a guide to that. Even local servers are not exempted.
Related
Chromebooks etc have offline versions of users' Drive files, so is there a way to use the Realtime API, which though apparently inaccessible offline, does work just fine offline? (my app starts in an 'inMemoryModel' mode).
Problems include that Google disallows cacheing of their API's, and that when a manifest-enhanced single-page web-app is run on a disconnected Chromebook, the user is shown a "This application cannot run offline" screen, or similar.
What if anything, is Google's plan for this, and other similar Drive API situations?
Looks like Push notifications are finally usable for web-apps! Unfortunately, this requires https for ServiceWorker, which not all sites may have.
One thing I noticed in the spec it mentions:
if r's url's scheme is not one of "http" and "https", then:
Throw a TypeError."
So I'm confused - can the site be http, as long as it includes a serviceworker that is from https? For example, mydomain.com could include an https serviceworker from https://anotherdomain.com?
Another standard, web-api simple-push, doesn't mention requiring https (likely an omission in the documentation?), and "The user experience on Firefox Desktop has not been drawn out yet". Is the documentation on this outdated, or is push really only supported in FirefoxOS??
Simple-push, that is the current push solution in Firefox OS doesn't have anything to do with ServiceWorkers.
The next generation of push, implemented by both Google and Mozilla will be done through ServiceWorkers:
Push API spec
In that case yes, your content will need to be served over HTTPS.
Probably you will be interested in the LetsEncrypt initiative:
letsencrypt.org
A new certification authority that will help developers to transition their content over HTTPS.
Also just for development purposes, both Google and Mozilla implementations of ServiceWorkers allow you to bypass the check of the secure content, if you develop against localhost.
In the case of Mozilla you will need to enable the flag:
devtools.serviceWorkers.testing.enabled: true
But again this will be just for development, and AFAIK, Mozilla push landed or is about to land, and will be available in the nightly builds, you can follow the work here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1038811
No, the new generation of push notifications (i.e. Push API) requires HTTPS.
If you need to add push notifications to a website without HTTPS you can use a third-party service like Pushpad (I am the founder) that delivers notifications on your behalf.
The text you cited from the spec is from the Cache.addAll() section (5.4).
Here's the summary of addAll() on MDN:
The addAll() method of the Cache interface takes an array of URLS, retrieves them, and adds the resulting response objects to the given cache. The request objects created during retrieval become keys to the stored response operations.
Service workers can request & cache URLs that are either HTTP or HTTPS, but a Service Worker itself can only work in its registered Scope (which must be HTTPS).
simple-push is not related to Service Workers; it seems comparable to the approaches other platforms have taken:
Apple Push Notifications
Google Cloud Messaging
I found a nice bypass workaround to allow notifications from websites and domains without SSL, hence http:// and not https:// for Firefox.
Firefox holds a file inside the Mozilla directory called permissions.sqlite which is a sqlite database file that holds the permissions for domains. You can add your domain there http://yourdomainname with permissions for notifications and it will work.
I have created a demonstration for Windows here https://gist.github.com/caviv/8df5fa11a98e0e33557f75215f691d54 in golang
I wonder if my Google maps API key is safe the way I use it now. Because I have a Cordova application with Google maps, I have generated an API key. I cannot white-list the key to my domain, because it runs client side on the phone.
Also my API key is visible for anyone who unpacks my app and read the index.html, or listen to the web requests that the app makes.
Is there any way to protect my API key? And if there isn't, it is safe to use Google maps, or any other third party API that uses a API key for authentication?
I see two possible solutions to your problem. Both of them I have already personally implemented (not with GMaps though) but still have some downsides.
(1) You can use a backend technology to add in API keys to your requests. For this it is advisable to use a combination of something like Apache2 mod_proxy and mod_rewrite. In your application you then use URLs that point to your proxy server i.e. https://yourserver.com/js/googleapis/maps/api/js and make mod_rewrite this URLs to something like https://maps.googleapis.com/maps/api/js?key=API_KEY
A rule for mod_rewrite (not tested) could look like this:
RewriteCond %{QUERY_STRING} ^$
RewirteRule ^/googleapis/maps/api/js (.*)$ https://https://maps.googleapis.com/maps/api/js?key=API_KEY
I think you get the idea. The big advantage of this approach is that you can completely hide your private information on a server you control. The downsides are: If your app causes high traffic you will most likely experience high traffic on the proxy machine. Further if attackers figure out the URL to your Google Maps API proxy endpoint it will be easy for them to retrieve the GMaps API through your service.
(2) The second option would be to create a service to retrieve your API keys. Assuming your application already needs some form of authentication anyways you cold go a road where the API key service hands out the API key only to registered and authenticated users.
Both approaches will have their downsides regarding better tooling for debugging mobile-web applications. I.e. an attacker using MacOS, XCode and Safari on a desktop could establish a debugging session to your Cordova application and step debug the JS code that runs inside your App. Which means whatever stretch you make in the Cordova arena it is quite easy to attach to your App and read variables.
No credit to comment on accepted answer but personally, I'd go for the 2nd option suggested by Matthias Steinbauer. However, his concern about an attacker debugging your Production app doesn't apply to apps built with a Distribution Provisioning profile (such as required when submitting to the App Store) - only apps signed with a Developer Provisioning profile. The same goes for Google Apps too. IF it were possible to just debug a prod app, then say goodbye to security.
Having said that, an App's static content can be viewed by others (since app is just a zip file) - so don't hard-code any keys or security info.
Personally, I'd also obfuscate the source when building prod version.
Hope it helps
Can a published Web App use HTTP instead of HTTPS?
If so, how do you change the settings to make it work properly?
There is no way to do this today. If you access a web app over HTTP it will immediately get redirected to HTTPS. There are no plans to change this as of now but please log an enhancement request here with details - https://code.google.com/p/google-apps-script-issues/issues/list
I want to monitor Https traffic going out from google chrome.
Is there any possibility to write something in C++ for similar purpose, like some hook.
When I tried to hook in ws2_32::WSASend API and load my dll in chrome, it is causing crash. It look like chrome protects hooking of Windows API. I am more interested in APIs not applications like fiddler which can show Https traffic.
I have also seen google's native-client option but does not think it is useful because any extension need to deploy using google web store which is not a possibility in my case.