Add HTTP warning for non-localhost hostnames (#1181)

2026-05-10 08:18:08 -04:00 · 2025-09-05 20:21:49 +02:00
parent 8655f15731
commit f09cfecb13
2 changed files with 6 additions and 2 deletions
--- a/apps/server/AliasVault.Client/Main/Layout/Footer.razor
+++ b/apps/server/AliasVault.Client/Main/Layout/Footer.razor
@@ -95,11 +95,15 @@

    /// <summary>
    /// Checks if the current URL is using HTTP and shows warning if needed.
+    /// Only shows warning for non-localhost hostnames since browsers allow crypto operations on localhost via HTTP.
    /// </summary>
    private void CheckHttpProtocol(object? sender, LocationChangedEventArgs? e)
    {
        var uri = new Uri(NavigationManager.Uri);
-        _isHttpWarning = !_httpWarningDismissed && uri.Scheme == "http";
+        var isLocalhost = uri.Host.Equals("localhost", StringComparison.OrdinalIgnoreCase) || 
+                         uri.Host.Equals("127.0.0.1", StringComparison.OrdinalIgnoreCase) ||
+                         uri.Host.Equals("::1", StringComparison.OrdinalIgnoreCase);
+        _isHttpWarning = !_httpWarningDismissed && uri.Scheme == "http" && !isLocalhost;
        StateHasChanged();
    }

--- a/apps/server/AliasVault.Client/Resources/Layout/Footer.en.resx
+++ b/apps/server/AliasVault.Client/Resources/Layout/Footer.en.resx
@@ -83,7 +83,7 @@
    <comment>Title for HTTPS warning banner</comment>
  </data>
  <data name="HttpsWarningMessage" xml:space="preserve">
-    <value>The AliasVault web app requires HTTPS for using browser crypto operations. Registering/logging in won't work over HTTP. Please switch to HTTPS and use a valid SSL certificate.</value>
+    <value>Browsers only allow secure crypto operations via HTTPS, except for localhost. Login/registration won't work over HTTP with the current hostname. Please switch to HTTPS.</value>
    <comment>Message explaining why HTTPS is required</comment>
  </data>
 </root>