Set up development SSL certificates for webviews


We are developing a theia extension, that we might actually turn to a vscode plugin, for commodity and outreach reasons. The plugin would open webviews with a react application in them.

It works well in vscode, theia-electron, but theia-browser requires ssl for service worker to work with our javascript. The problem is that theia creates URIs with the scheme {{uuid}}.webview.{{hostname}} by default and in a development environment, hostname being localhost, I can’t seem to generate the proper certificate that will cover all URIs and in the webview, I don’t even get the chance to accept the certificate.

The certificate is a self-signed certificate for *.localhost, it was accepted for the initial https://localhost:3000 but after that, I get warnings of un-safe site and neither firefox, nor chrome wants to get me in the webview!

I can temporarily fix the issue by starting the application in un-secure mode with THEIA_WEBVIEW_EXTERNAL_ENDPOINT={{hostname}} theia start --ssl [...], but it’s not ideal. I suppose that in a production environment, people would have a real certificate, but not developers and simple users.

So, how can I set up a secure development SSL certificate for theia and webviews? Or is working in un-secure environment sufficient for development use cases?


Localhost is consider a secure context. You can use it for development without ssl.

@akosyakov Are you saying that WebViews should work out of the box while running the example browser app on localhost, or that it is “safe” to set THEIA_WEBVIEW_EXTERNAL_ENDPOINT={{hostname}} when developing?

Because right now webviews don’t work by default when running the example browser app (but it works with the example electron app, you can try the Markdown: Open Preview command).

edit: I did more testing: the vhost requests are not going through when on Windows, and on Linux even though the requests go through, because we are not running https we get an error saying service workers are disabled and webviews might not work.

Yes, it should work with localhost, at least in Chrome? Firefox had some bugs to treat localhost subdomains as secure.