The biggest blocker for (securely) running P2P apps in the browser seems to be mixed content restrictions. We're so close!

Specifically, web crypto isn't available on insecure sites, and unencrypted WebSockets (e.g. to a LAN server) aren't allowed on secure sites. The crypto API *could've* proven authenticity of your LAN server without requiring domains/cert chains.

I get why they do it, but that means if you self host a web service, you have to choose A: centralization through domains+certs, or B: entirely vulnerable content (serve everything over unencrypted http). Option B is obvious a no-go.

Oddly enough Brave seems to be leading the charge in that regard. They just added IPFS integration. If you use a local node instead of a gateway, it loads the content in a weird mixed mode. You can access crypto *and* make insecure page requests.

Still, that might actually be a bug in Brave. And it has other downsides. Although crypto is enabled, other permissioned resources aren't, like audio/video. Which coincidentally was exactly what I needed it for.

I've really gone out of my way to avoid using a domain. I want to know how P2P browser apps can work in practice. But I'm not seeing a good method yet.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.