4

From the Electron renderer, I am accessing a local GraphQL endpoint served by a Django instance on my computer, which I'd like to do over HTTP, not HTTPS. But Electron's Chromium seems to intercept my fetch request and preemptively return a 307 redirect.

So if my fetch request is POST to http://local.myapp.com:3000/v1/graphql, then Chromium returns a 307 and forces a redirect to https://local.myapp.com:3000/v1/graphql, which fails because my server is listening on port 3000 and for my use case I can't do a local cert for local.myapp.com.

Theoretically the first insecure request should be hitting an nginx docker container listening on port 3000 without any SSL requirement. And nginx is proxying the request to a Hasura container. But I'm not even seeing the requests in the nginx access logs, so I'm pretty sure the request is being intercepted by Chromium.

I believe this StackOverflow comment summarizes well why this is happening: https://stackoverflow.com/a/34213531

Although I don't recall ever returning a Strict-Transport-Security header from my GraphQL endpoint or Django server.

I have tried the following code without success to turn off this Chromium behavior within my Electron app:

import { app, } from 'electron'

app.commandLine.appendSwitch('ignore-certificate-errors',)
app.commandLine.appendSwitch('allow-insecure-localhost', )
app.commandLine.appendSwitch('ignore-urlfetcher-cert-requests', )
app.commandLine.appendSwitch('allow-running-insecure-content', )

I have also tried setting the fetch options to include {redirect: 'manual'} and {redirect: 'error'}. I can prevent the redirect but that doesn't do me any good because I need to make a successful request to the endpoint to get my data.

I tried replacing the native fetch with electron-fetch (link) and cross-fetch (link) but there seems to be no change in behavior when I swap either of those out.

Edit: Also, making the request to my GraphQL outside of Electron with the exact same header and body info works fine (via Insomnia).

So I have a couple of questions:

  1. Is there a way to programmatically view/clear the list of HSTS domains that is being used by Chromium within Electron?

  2. Is there a better way to accomplish what I'm trying to do?

kaxline
  • 63
  • 6
  • 1
    Absent of any good solutions, I went ahead and switched to using `localhost` instead of a custom local domain in order to avoid the issue entirely. Not ideal, but I understand this is probably an edge case that not many people run into so perhaps not worth opening an issue or feature request over. – kaxline Sep 06 '20 at 18:19

1 Answers1

0

I think the issue might be from the server, most servers don't allow HTTP in any possible way, they'll drop the data transfer and redirect you to HTTPS and there's a clear reason why they would do that.

Imagine you have an app that connects through HTTPS to send your API in return for some data, if someone just changed the https:// to http:// that'd mean the data will be sent un-encrypted and no matter what you do with your API key, it'll be exposed, that's why the servers don't ever allow any HTTP request, they don't accept even a single bit of data.

I could think of two solutions.

  • Chromium is not the reason for the redirect, our Django instance might be configured as production or with HTTPS listeners.
  • Nginx might be the one who's doing the redirecting (having a little bit of SSL def on the configuration)
  • Last but not least, just generate a cert with OpenSSL (on host http://local.myapp.com:3000/) note: include the port and use that on your Django instance. You can trust the certificate so that it could work everywhere on your computer.
Ian Elvister
  • 357
  • 3
  • 9