code-server is being accessed over an insecure domain. Web views, the clipboard, and other functionality will not work as expected.

[nexon33]

Is there a way to bypass this? I'm running code-server over tor so its not possible to get an ssl certificate.

edit: tor is encrypted by default by the way, so the connection is secure.

[jsjoeio]

I'm not familiar with tor but would using --link fix the issue?

i.e. code-server --link - demo video

[nexon33]

nope, I get the error info ping server: dial server: failed to WebSocket dial: expected handshake response status code 101 but got 403

probably because the code is ran through tor, some websites block tor by default.

[code-asher]

Do things like service workers that normally only work in secure contexts work on .onion sites? If not then I think the error is accurate and we should keep it.

If that functionality does work then of course the error is wrong and it seems like we will need to be more sophisticated in our detection. Currently we use window.isSecureContext.

[code-asher]

In the first case, at the very least maybe we should reword the error to make it clear the browser has disabled certain APIs that code-server uses rather than saying the domain is insecure, or something like that.

[nexon33]

Do things like service workers that normally only work in secure contexts work on .onion sites? If not then I think the error is accurate and we should keep it.

If that functionality does work then of course the error is wrong and it seems like we will need to be more sophisticated in our detection. Currently we use window.isSecureContext.

Well the thing is, tor is end to end encryped. Meaning

You run an unsecure site on localhost which is not accessible to the outside.

Then you configure a tor service, this will setup a service that will route from tor to the local website (even if its not accessible from the outside) the service uses encryption by default meaning no request ever leaves the local computer without being encryped on the local computer first

The encrypted request is routed through tor nodes (when going through the servers, it will get encrypted another 3 times in layers, thats why its called onion routing) each node adds a layer

In the end the last tor node sends the request to the tor browser, the tor browser will decrypt the received message, even if the url itsself is http and there is no ssl encryption used, tor by default encrypts the request, I think it uses RSA1024 if I'm not mistaken

Situations where the connection is secure: domain ends in .onion

Situarions where it is not secure:
A gateway is used, which ends in onion.to or someting else, could also be a normal website which even provides a https certificate, but is still not secure.

This means I could enable all the features by using a tor gateway that supports https, which irronically is way less secure since everything could be logged as its completely decrypted on the gateway, and then gets encrypted again with ssl or tls

Edit: not sure if this matters but tor does not support udp, I think it routes udp requests over tcp

[code-asher]

I think our error is misleading. It makes it sound like your connection is unsafe. What it really means is that secure context APIs like service workers and the clipboard API are not available. We should reword the error!

How about something like this:

Your browser has not given code-server access to certain features. Web views, the clipboard, and other functionality will not work as expected. Typically this happens because code-server is being accessed without HTTPS.

If Tor does not consider .onion sites a secure context then unfortunately there is nothing we can do. 😢

[Largo]

Yes, through the browser. Microsoft Edge: open edge://flags/ look for Insecure origins treated as secure.
Add the full url to code-server. This is however unsafe.

Other option is through code-server vscode settings.

[JWleo]

@nexon33 you should use your vscode-server through https.
you need to go to ~/.config/code-server/config.yaml, and fix your file just like below:
bind-addr: ****
auth: password
password: ***88
cert: true(It's very very very important here,it needs your .key ,.crt or others to supprot the function) )
cert-host: ***

[ksbalajee]

Hi,
I'm trying to build a react application with the code server as an iframe. The code server is served over HTTPS (passing in the certificate via flags when launching code server) and when I tried to launch my react application in my local (http://localhost:3000/), I don't see any issues. However, when I deploy my react application to a domain (http://my-app.com/) that's when I'm getting the error that the OP posted and also a popup saying that
code-server is being accessed in an insecure context. Web views, the clipboard, and other functionality may not work as expected.
Also when I try to open the code server URL from the iframe to a new tab, I don't see this issue. Do I need to host my react application in HTTPS as well?

Version details:
code-server: v4.3.0
Code: 1.65.2
Commit: Unknown
Date: 2022-04-14T21:04:05.402Z
Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

[jsjoeio]

I think so!

[Stevesuk0]

open chrome://flags/

search Insecure origins treated as secure

turn it on and write down your code-server address

restart your browser