Add --android_tunnel flag to emrun (cross-origin isolation on Android device) #20783
Conversation
This flag does two things:
1. we use 'localhost' as the hostname
2. we invoke 'adb reverse tcp:{port} tcp:{port}' before launching
This means that the page will run with cross-origin isolation.
Without cross-origin isolation, we typically can't have features
such as SharedArrayBuffer, which is needed for apps using pthreads.
lippinj
changed the title
|
Do you know why cross-origin isolation doesn't work with the regular hostname + networked? Doesn't emrun send the correct header for cross-origin to work? |
|
In the regular setup, we load the page over HTTP. Any non-localhost origin over HTTP counts as "Not Trustworthy", so a reasonably security-conscious browser will ignore the COOP header as a security measure. At least Chrome does this, logging the following error:
We can get around this by disabling security features on the browser or by promoting to HTTPS (e.g. by going through ngrok), but to my mind the port tunnel is the most straightforward option. |
I see, so an alternative would be use HTTPS, but that would require some kind of certificate which might be tricky? |
Yes. Especially since we commonly serve from a private IP address. I am not that well versed in TLS, but this is how I understand it. We might self-sign a certificate, which means we have to dismiss a security warning on the Android device each time (that is, if the browser does not reject a certificate for a private IP address out of hand, which it might for all I know). For a certificate from a CA, we presumably need to also set up a domain name that resolves to the machine we want (I doubt they issue certs for private IP addresses). I think the tunneling solution is less laborious and less invasive than either of these options. |
emrun.py
Outdated
| @@ -1636,7 +1647,12 @@ def run(): | |||
| if not file_to_serve_is_url: | |||
| if len(options.cmdlineparams): | |||
| url += '?' + '&'.join(options.cmdlineparams) | |||
| hostname = socket.gethostbyname(socket.gethostname()) if options.android else options.hostname | |||
| if options.android_tunnel: | |||
| hostname = 'localhost' | |||
There was a problem hiding this comment.
This files uses two-space indention.
There was a problem hiding this comment.
Fixed indents to two spaces.
I am proposing a new flag
--android_tunnelfor emrun.The
--android_tunnelflag has the following effects:--androidoption is set (i.e.,--android_tunnelimplies--android)localhostadb reverse tcp:{port} tcp:{port}is invoked before launching (establishes a reverse socket connection)The page running on the Android device can then have cross-origin isolation. Cross-origin isolation is (typically) required for certain browser features, in particular for SharedArrayBuffer, without which builds with pthreads cannot be run on an Android device.