From cdfb33665195eb9a73fb00feb6ebaccd1068cd50 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Thu, 12 May 2022 15:46:59 +0200
Subject: [PATCH] Add warnings about insecure context

Most (all?) new APIs will require a "secure context", which generally
means served over TLS. We can expect crashes because of missing
functions if this requirement isn't fulfilled, so try to warn the user.
---
 app/ui.js   | 8 ++++++++
 core/rfb.js | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/app/ui.js b/app/ui.js
index e1c58923..95f938d6 100644
--- a/app/ui.js
+++ b/app/ui.js
@@ -61,6 +61,14 @@ const UI = {
         // Translate the DOM
         l10n.translateDOM();
 
+        // We rely on modern APIs which might not be available in an
+        // insecure context
+        if (!window.isSecureContext) {
+            // FIXME: This gets hidden when connecting
+            UI.showStatus(_("HTTPS is required for full functionality"), 'error');
+        }
+
+        // Try to fetch version number
         fetch('./package.json')
             .then((response) => {
                 if (!response.ok) {
diff --git a/core/rfb.js b/core/rfb.js
index 121d9e5e..578a8984 100644
--- a/core/rfb.js
+++ b/core/rfb.js
@@ -79,6 +79,12 @@ export default class RFB extends EventTargetMixin {
             throw new Error("Must specify URL, WebSocket or RTCDataChannel");
         }
 
+        // We rely on modern APIs which might not be available in an
+        // insecure context
+        if (!window.isSecureContext) {
+            Log.Error("noVNC requires a secure context (TLS). Expect crashes!");
+        }
+
         super();
 
         this._target = target;