Question: Why do I get “auth0-spa-js must run on a secure origin” error?
Answer:
Internally, the SDK uses Web Cryptography API to create SHA-256 digest.
According to the spec (via Github issues), Web Cryptography API requires a secure origin, so that accessing Crypto.subtle
in a not secure context return undefined.
In most browsers, secure origins are origins that match at least one of the following (scheme, host, port) patterns:
(https, *, *)
(wss, *, *)
(*, localhost, *)
(*, 127/8, *)
(*, ::1/128, *)
(file, *, —)
If you’re running your application from a secure origin, it’s possible that your browser doesn’t support the Web Crypto API. For a compatibility table, please check Can I use... Support tables for HTML5, CSS3, etc
Supporting Documentation:
Relevant GH issue: Please require a secure origin (Bug 25972) · Issue #28 · w3c/webcrypto · GitHub
Documentation: Repository Documentation