16

I need to generate cryptographically secure pseudorandom numbers, in Javascript. I know about the window.crypto.getRandomValues API, which does exactly what I want. However, I also know it was introduced relatively recently (in 2011 or so).

Can I safely assume window.crypto.getRandomValues is present, or will using it introduce compatibility problems on some browsers? Are there any major (widely used) browsers which do not support window.crypto.getRandomValues (including mobile or desktop browsers), and if so, which ones do I need to worry about? I would be delighted to learn that there is enough support that I no longer need to worry about fallback methods, if that is indeed the case.

Community
  • 1
  • 1
D.W.
  • 3,382
  • 7
  • 44
  • 110

4 Answers4

23

Can I safely assume window.crypto.getRandomValues is present

As always it depends on your target market and will change over time. caniuse.com lists which browsers support it and calculates the browser marketshare.

Here is a summary:

  • IE 11: w/ prefix

  • IE Mobile 11: w/ prefix

  • Firefox: 21+

  • Firefox Mobile: 21+

  • Safari: from 6.1

  • Safari Mobile: 7.1

  • Chrome: 11+

  • Chrome for Mobile: 23+

  • Android browser: 4.4

  • Opera: 15+

  • Opera Mobile: 36+
  • Opera Mini: no
Indolering
  • 3,058
  • 30
  • 45
bobince
  • 528,062
  • 107
  • 651
  • 834
  • This is fantastic! Thank you, bobince. I recently found [another source from Mozilla](https://developer.mozilla.org/en-US/docs/DOM/window.crypto.getRandomValues#Browser_Compatibility). The only discrepancy with your answer is that Mozilla says Mobile Safari supports `window.crypto.getRandomValues` since iOS 6. Do you think they are right? Anyway, thanks again -- I couldn't have hoped for a more perfect answer! – D.W. Apr 16 '13 at 15:48
  • Ah! It's entirely possible, yes. I don't have an iOS 6 device to test, but I'll assume they're right unless anyone knows different... – bobince Apr 16 '13 at 18:47
  • 5
    Will be in IE11, maybe under window.msCrypto. – user239558 Oct 17 '13 at 22:15
  • 1
    Additionally, not available in node.js. Which is not a browser. – Michael Paulukonis Nov 12 '13 at 19:16
8

For a more complete, up-to-date view, it's probably better to just check caniuse.com:

http://caniuse.com/#feat=getrandomvalues

As of December 2015, all modern browsers, except for Opera Mini, support it:

enter image description here

laurent
  • 88,262
  • 77
  • 290
  • 428
7
const crypto = window.crypto ||
  window.msCrypto || {
    getRandomValues: array => {
      for (let i = 0, l = array.length; i < l; i++) {
        array[i] = Math.floor(Math.random() * 256);
      }
      return array;
    }
  };

  if (crypto.getRandomValues === undefined) {
    throw new Error("crypto is not supported on this browser");
  }
Richard Merchant
  • 983
  • 12
  • 10
  • 1
    This doesn't answer the question that I asked. I asked whether `window.crypto.getRandomValues` is supported on all modern browsers; a chunk of code is not an answer to that question. (Also, separately, it's worrisome to see you suggest code that uses `Math.random`, as `Math.random` is often not secure for cryptographic uses.) – D.W. Aug 17 '17 at 00:01
  • 2
    So to answer your question, it is not supported by all browsers. which is why I posted this as it will fall back to something usable. Feel free to down vote. Just thought it was useful and as an alternative to the other answers – Richard Merchant Aug 17 '17 at 10:12
3

Opera is the only one that does not support window.crypto.getRandomValues, but it's math.random() is pretty secure.

What I did to solve this was just to check if the window.crypto is available, if not check is it an opera browser and if not just throw an error saying that the browser can't generate a secure password.

if(window.crypto && window.crypto.getRandomValues)
{
    (use window.crypto.getRandomValues)
}
else if(isOpera)
{
    (use Math.random)
}
else throw new Error("Your browser can not generate a secure Password, please change it to one that can (Google Chrome, IE, Firefox, Safari, Opera) or get the newest update.");
Community
  • 1
  • 1
OmarAguinaga
  • 707
  • 1
  • 8
  • 17
  • You can choose to put the error message, the browser needs to be really really old in order to trigger that error (: if you don't want to show that error the only thing I could thing of doing is use the simple math.random as last resource . – OmarAguinaga Mar 09 '16 at 15:11
  • The point of error messages is to he helpful. Put yourself in the place of a user, is it helpful? What a user wants, needs, to, know is what to do. Use another browser or just give up. You are telling the user about a browser error that he can't do anything about. – zaph Mar 09 '16 at 15:56