1

I am creating a chrome extension that exposes extra APIs to websites. Before these APIs can be used by websites, I want to show a warning if the website was served over HTTP and not HTTPS. This is because these APIs reduce the web sandbox and could be more dangerous if the JavaScript source from the website is not verified to have come from the correct party.

Is there a reliable method I can use to check if a website was served over HTTPS?
Maybe a chrome extension API (for example inside a content script)?

Checking location.protocol seems to be potentially inaccurate in case of problems with the certificate: How do I determine whether a page is secure via JavaScript?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
David Callanan
  • 5,601
  • 7
  • 63
  • 105

1 Answers1

2

For newer browsers:

window.isSecureContext

You can also:

window.location.protocol == 'https:'

However, this may be wrong if the webpage protocol is https but the certificate was invalid and the webpage proceeded to load in a non-secure context.

David Callanan
  • 5,601
  • 7
  • 63
  • 105
  • There's also one extension-related use case that would benefit from window.isSecureContext - writing a universal library that can be used inside extension pages including the background script (these are all secure). But such a library would have to implement a fallback to a protocol check for older versions of browsers of course. – wOxxOm Jan 16 '20 at 04:42