fix(desktop): support self-signed remote HTTPS windows#289
Conversation
Route remote windows through a trusted local HTTPS proxy so WebView2 accepts secure cookies with self-signed servers. Install the rustls provider explicitly so the proxy starts reliably on Windows.
|
@pascalandr - Thanks, that's a clever trick to work around Tauri self signed. A few things,
|
|
What are our options here, do you have some ideas |
|
What I think you’re asking: given this PR’s current approach (a localhost HTTPS proxy with a locally trusted cert), what are the realistic alternatives, and is there a cleaner way to satisfy WebView2’s secure-cookie / self-signed-cert constraints on Windows. Assumption: the goal is specifically to make remote HTTPS sessions work in a Tauri WebView when the upstream server uses a self-signed cert, without opening a broad local attack surface. My read is that the option space is roughly:
Why I think this is the leading option: it preserves normal
So: technically possible to build some custom transport, but likely a lot more complexity for worse browser compatibility.
If the only requirement were “render HTML somehow”, this would be more attractive. For a full remote web app session, I think it is riskier than the localhost HTTPS proxy.
So this is worth checking as a platform capability, but I would treat it as a potential future replacement, not the safest near-term path.
If we want this feature to “just work,” this is probably not the direction. On your specific questions:
My recommendation:
If useful, I can follow up with a concrete hardening checklist for this PR. -- |
Bootstrap each remote window proxy with a random one-time token, establish a local secure session cookie, and reject unauthenticated loopback requests so other local processes cannot casually reuse the proxy port.
|
Hardened in ba9cd53: loopback-only + ephemeral port, one-time random bootstrap token, then HttpOnly; Secure; SameSite=Strict local cookie, and 403 for unauthenticated requests. I also looked at a custom protocol, but it breaks the normal HTTPS/cookie/SSE behavior we need here, so I kept the proxy and tightened it instead. |
|
Few things
|
|
|
|
Is it possible to un-trust the remote cert ? We could make it work like
|
|
Possible in theory, but I think it’s the riskier path: we’d need to pin the exact remote cert/fingerprint, trust it in the OS store, then reliably remove exactly that trust entry on close without affecting other uses of the same cert/CA. That’s broader and more fragile than trusting a local loopback cert that CodeNomad fully owns. |
There aren't going to be other users for that cert, if the cert is already there we won't need to trust it ourself. Isn't it? |
|
Can you please verify my suggestion regarding trusting untrusting cert
Keep your response brief but informative |
|
What I understand you’re asking: whether the “temporarily trust the remote cert, then untrust it on close” idea is viable across Windows, macOS, and Linux, and whether it is a better direction than the local loopback cert. Short answer:
So my recommendation stays the same: trusting a local loopback cert that CodeNomad owns is the safer design boundary than temporarily trusting arbitrary remote certs in the OS store. -- |
|
Will we have the same issues with Trusting CodeNomad owned certificate on these platforms? |
|
What I understand you’re asking: if we switch to trusting a CodeNomad-owned local cert instead of an arbitrary remote cert, do we still hit the same platform problems, and is there any helper/library that makes this easier. Short answer:
My take:
-- |
|
@pascalandr - It seems this approach of installing a certificate and creating a proxy in CodeNomad for working around a self signed SSL might not work very well on all the platforms, as explained above.
|
|
@shantur I think that’s the real tradeoff: there may simply not be a good cross-platform in-app solution here. |
|
Below config should work |
|
Thanks, this helps. I agree this could be a cross-platform path, but it looks like a much bigger project, not a small follow-up. So the immediate question is whether we keep this PR as a pragmatic Windows fix for now ? |
|
For a cross platform project, I think having a feature just to work on one won't be a good idea. |
|
Just to clarify, are you opposed to this being the Windows implementation specifically, or only to merging it without a clear path for macOS/Linux as well? I agree the feature itself should be cross-platform, even if the implementation may differ by OS. |
|
Yes that's correct. Thanks for understanding |
|
I think the most realistic cross-platform direction is to keep the same overall design on all 3 OSes, but use OS-specific trust-store integration. Common design
That keeps normal browser semantics for:
So the feature can be cross-platform even if the implementation differs by OS. WindowsThis is the approach in this PR and it is the only one actually validated so far.
macOSI think the same architecture should work.
Most likely implementation path is via LinuxSame proxy architecture in theory, but this is the hardest platform because trust stores are not uniform. Likely approach:
So I think Linux should be treated as best-effort first, then tightened based on real distro testing. Practical conclusionI do think the feature can be cross-platform, but probably not with one identical implementation. |
I don't want to inherit something that is so specific to platforms and it's not a native CodeNomad feature that's missing here. Please use a proxy, accept remote codenomad certs or run remote codenomad with proper free certs from Let's Encrypt |
|
That can only work in environments where the user controls DNS / reverse proxy / certificates, but in many work setups that is decided by IT/network admins, so it is not really a user-available solution. That is exactly why I explored a client-side workaround here. Just to clarify, I did try hard on the other paths on Windows :
|
|
Or you can use Electron version, it works fine, it has capability to allow self signed certificate |
|
Well it's a lot slower on my side, especialy in this case.
…________________________________
De : Shantur Rathore ***@***.***>
Envoyé : dimanche 5 avril 2026 00:57
À : NeuralNomadsAI/CodeNomad ***@***.***>
Cc : Pascal André ***@***.***>; Mention ***@***.***>
Objet : Re: [NeuralNomadsAI/CodeNomad] fix(desktop): support self-signed remote HTTPS windows (PR #289)
[https://avatars.githubusercontent.com/u/586441?s=20&v=4]shantur left a comment (NeuralNomadsAI/CodeNomad#289)<#289 (comment)>
Or you can use Electron version, it works fine, it has capability to allow self signed certificate
—
Reply to this email directly, view it on GitHub<#289 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AFIXBX7LLM4XHJJ575H3J7T4UGHOTAVCNFSM6AAAAACXMUBUQWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCOBXHA4DEOJVGE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
@pascalandr - Sorry to hear that. I can surely help you get it working with nginx if you are available on Discord. |
|
@shantur, I think there may be a cleaner path now that SideCar support exists: keep the Windows/self-signed workaround outside CodeNomad in an external helper, and only use CodeNomad SideCars as the integration point. i'll try that. |
Brilliant. If it doesn't work with Sidecar, the remote server can be worked with the Windows/Self-signed workaround. That would be a better experience IMO as it will give you access to keyboard shortcuts |
|
@pascalandr - Closing this as we have another way forward. |
|
@shantur I tried the SideCar approach, but for some reason it pointed back to the local CodeNomad session instead of a properly isolated remote one. Hotkeys worked fine thought; droping it for now. |
|
Thanks |
Summary
Testing