I need to encrypt and decrypt data in my app and I am using crypto.subtle for that. This feature is only available in a secure context (i.e. https) so what does that mean for Capacitor apps?
From my tests, it seems to not be working so is there any settings or configuration values that I need to enable to get this working?
More detail on what “your tests” constitute and what you define as “not working” would be extremely helpful to anybody attempting to assist your cause.
I haven’t dealt with this issue in a couple of years, so things may have changed, but one potential pitfall that used to be a concern is that the
crypto.subtle returns are not zone-aware, so if you are trying to use them in an Angular app (I have no idea how other frameworks handle this), you need to zonify them.
The method that I settled on as being most futureproof (i.e. “does not rely explicitly on zone.js being present”) is to simply wrap them inside a
Promise.resolve in your code. See here for an example.
There are no error messages. The calls just silently do nothing and give no feedback at all, just like in the browser (Chrome at least) when trying to access members of the
crypto.subtle namespace in an insecure context.
Unless Capacitor specifically lifts these security restrictions for
crypto.subtle in its webview in order to allow it to be accessed from files served through the
file:// protocol, I assume the answer is that the whole
crypto.subtle namespace is simply unavailable to Capacitor apps, which is disappointing to be honest.
This is not Capacitor’s fault, it’s Apple’s fault, they decide which APIs are available on WKWebView and which APIs aren’t. There is nothing we can do about it.
And sometimes, even if they are available on WKWebView they don’t work on Capacitor/Cordova apps because they are served from capacitor/ionic/app/file schemes.
In those cases you can report the issues to Apple as it seems that they are starting to consider those schemes secure and making some of the APIs work on them, but if the API you are interested in doesn’t work, it’s better to report it to them.