Hacker News new | past | comments | ask | show | jobs | submit login

It's fantastic that it works with localhost (and I assume, and it's fantastic that it doesn't work with anything else. This is the best middleground.

When it doesn't work on anything other than localhost, you can't host a web server on your dev machine and test how it works on your phone. I've been through the hell of trying to test WebRTC applications on mobile Safari, and it's horrible.

Specifically, you need HTTPS for WebRTC, but you obviously have to use a self signed cert because local IP. You can ignore the cert error and load the page, but connecting to the websocket for signaling will still fail because websocket on iOS requires a non-self-signed cert.

Non-HTTPS websocket would work, but not from a HTTPS host. So you're in a situation where you need HTTPS due to WebRTC, but you can't use HTTPS due to websockets.

In trying to push people to HTTPS by disabling features on HTTP, we're making development a _much_ worse experience. I'm not sure that's right.

You can probably just create your own root CA and install it on your mobile device for testing. I've done this for my internal stuff at home and it works well.

I use xca[0] to create/manage the root CA and the certificates, but there are other tools to do this.

[0] https://hohnstaedt.de/xca/

> you obviously have to use a self signed cert because local IP

Not true at all, SSL certs have nothing to do with IP of the servers that use them, the servers just have to have the correct private key for that cert.

You can make any domain point to local IPs by using the hosts file or even editing DNS directly.

I see your point about mobile testing. (I don't do mobile work, so I didn't think of it.)

Would be better if it also supported a new warning / permission to request insecure camera access.

Too confusing. There is already a permission prompt for camera access, so now there'd be two prompts, or it's still one prompt but the text is different in either case, which users can't be expected to understand.

You can go into about:config and explicitly undo this setting if you're in some weird dev corner case where it's a problem, but you should definitely put "Stop doing AV stuff in an insecure context" near the top of your TODO list.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact