How to use SubtleCrypto in chrome (window.crypto.subtle is undefined)

Asked 28/9, 2017 at 11:33 Answered 5/6 at 13:46

Solved javascript google-chrome cryptography

This is really embarassing

on virtually any site on the internet,

window.crypto.subtle

returns

SubtleCrypto {}
  __proto__: SubtleCrypto

in the chrome console (v61 (Official Build) (64-bit))

except for

my webpage, and blank.org

where

window.crypto.subtle

returns

undefined

according to https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle it's a read-only property that should always return a SubtleCrypto object.

what could I have done, or what has blank.org done that it could possibly not?

ps: in firefox it seems to work as intended on both my site and blank.org

Hagiolatry answered 28/9, 2017 at 11:33 Comment(0)

According to the spec (via Github issues) a la this Google page for WebCrypto:

crypto.subtle is supposed to be undefined in insecure contexts

Deliberation answered 28/9, 2017 at 11:48 Comment(3)

It follows that it can only be used over https, as opposed to http. – Yuyuan 12/8, 2019 at 6:29

I have noticed that window.crypto.subtle was available when targetting a local HTTP URL, such as localhost:8080 for instance, which is quite useful for local web developments and tests out of the Internet. Maybe local HTTP connections are considered as "secured contexts" as well? Still, window.crypto.subtle is undefined with remote HTTP URLs. (tested with Firefox/Windows, plus Docker in the local dev+test configuration) – Court 26/8, 2021 at 13:52

window.crypto.subtle will return undefined on HTTP in an environment other than a local environment (e.g. localhost). Hence, if you must run your application on an actual domain name on the internet, you need to set up SSL (HTTPS). See: developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts Also, libraries that depend on window.crypto.subtle (e.g. the node packages for Auth0 and Authgear ) will also misbehave due to the above behavior. – Erivan 12/7 at 12:31

check your URL's

if it is https://localhost:PORT or 0.0.0.0:port or 127.0.0.0:port

change it to proper hostname URL something like http://localhost:PORT

worked for me! Thanks @Zmart

Donoghue answered 23/2, 2018 at 12:47 Comment(0)

It would appear you have to use sites with https://...... and not vanilla http://....

From the spec - easy to miss (and linked by Zmart, above):

Access to the WebCrypto API is restricted to secure origins (which is to say https:// pages).

Orose answered 15/5, 2019 at 5:52 Comment(2)

localhost and 127.0.0.1 are also considered as secure contexts, see developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts – Ganesha 26/7, 2020 at 9:28

What is this answer adding to the already existing answers? – Bloodthirsty 17/2, 2023 at 14:9

If you don't run your website on SSL with https the answer is: You can't use window.crypto.subtle. You have to configure SSL for your webserver. Look in MDN docs about Crypto.subtle it has a big warning on top op the page saying Secure context which means it is only available on https.

BUT there is an alternative solution if you still need a support for http only. And it does not involve using window.crypto.subtle but other open-source third party library instead. Here is how:

You can use Forge which is a crypto library that has same functionality like window.crypto.sybtle It has all crypto algorithms for your needs.

You can use forge instead of window.crypto when you run your services over http.

Be aware that APIs are very different and you need to write different code for cryptography using forge than using window.crypto. You need to read forge docs to make specific cryptography method work for your use case. You CAN NOT use same code that works in window.crypto.subtle when using forge you need to find your own way how to use forge for encryption.

For your reference to see how forge vs window.crypto.subtle codes are different read below.

Links to original window.crypto.subtle based darkwire.io code and translated darkwire.io code that is using forge instead of window.crypto.subtle:

original code using window.crypto.subtle: here
code translated to use forge, can run on http without SSL: here

I had translated darkwire.io to use forge for my own project that runs on http and needs encrypted communication method between clients.

Susiesuslik answered 25/8, 2020 at 15:25 Comment(0)

If you have running your development projects on different domain names (or ports) than localhost, then on Chrome you can add domains to the #unsafely-treat-insecure-origin-as-secure-flag:

Enter the following url in your address bar, enable the feature and add your development domain:

chrome://flags/#unsafely-treat-insecure-origin-as-secure

Only use this for development purposes on internal domain names or IP-addresses.

Tarp answered 5/6 at 13:46 Comment(0)

Recommended topics

Hot tags