undefined | Better HN

0 pointsdm33tri6y ago0 comments

They show big red error and prompt to continue is hidden under spoiler. Also XHR requests just cut off, it's painful when developing and testing.

0 comments

zozbot2346y ago

Well, a XHR cannot programmatically decide whether a self-signed cert should be trusted. Perhaps browsers should pop up a warning bar in such cases, explaining that some site functionality is being blocked for security reasons. Clicking it would take the user to the big scary warning page, where they would be allowed to indicate that they trust the self-signed cert (permanently or not) and reload the original page.

namibj6y ago

The XHR api could allow specifying a trust root and/or cert-pinning though.

necovek6y ago

How do you imagine this to work? XHR caller and XHR endpoint are both coming from untrusted sources at that point — if you allow either side to define a trust root, you are fully opening up to MITM attacks.

For development purposes, I imagine the approach akin to cross-origin support in browsers for loopback networks might work (i.e. don't enforce checks on them).

1 more reply

edoceo6y ago

It already does, put your self-CA in the browser trust store.

j / k navigate · click thread line to collapse