Ask Reuben

Secure Context

Why is the clipboard front-call returning FALSE? 

What is a Secure Context? 

What is this red badge on the settings icon?

Secure Context is not a Four Js invention.  The formal definition can be found at a W3C page https://www.w3.org/TR/secure-contexts/ and also at a Mozilla page https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts.  These links give good definitions and explanations of the concepts and I won’t repeat here.  What I will mention is where this impacts Genero.

What you may notice is that some functionality, a good example is the Clipboard front-calls such as cbSet, cbGet, work fine in your development environment but then in another environment they return an error, FALSE or blank as appropriate.  What has likely happened is that in your development environment, you are using localhost as part of your URL and so the environment is deemed to be secure, whilst the other environment is using http (not https) and an IP-address (not localhost explicitly) and so is not deemed to be secure.  Hopefully in production, you are using https and so this is deemed a secure context.

In a recent GBC release, the Settings icon and window were enhanced to display something called Degraded Mode Alert.  This takes the form of a red badge on the Settings icon, and some additional text in the Settings Window …

As you can hopefully ses, the badge alerts you that not all functionality is available, and the text in the Settings window gives more detail.

The key lessons are to …

  • Use a Secure Context where possible.  If you are not going to use a Secure Context, be aware that some functionality such as the Clipboard API will be lost.
  • Note the difference between using localhost and your actual IP address in a URL.  Using http://localhost is deemed secure whilst http://192.168.your.address is not.
  • Be diligent with functionality impacted by the Secure Context concept and make sure you have code  to handle the case where the functionality is impacted by not being in a Secure Context.  For instance I found with fgl_zoom, that my use of cbSet front-call was not handling the case where it would return FALSE when the context was not secure.  In that case I needed to add code to alert the user that the clipboard had not been populated.

If you ever wonder why a Secure Context is necessary, ask yourself what would a malicious website developer do if it could do what you are asking.