I'm not familiar with tor but would using --link fix the issue?

i.e. code-server --link - demo video

Do things like service workers that normally only work in secure contexts work on .onion sites? If not then I think the error is accurate and we should keep it.

If that functionality does work then of course the error is wrong and it seems like we will need to be more sophisticated in our detection. Currently we use window.isSecureContext.

Do things like service workers that normally only work in secure contexts work on .onion sites? If not then I think the error is accurate and we should keep it.

If that functionality does work then of course the error is wrong and it seems like we will need to be more sophisticated in our detection. Currently we use window.isSecureContext.

Well the thing is, tor is end to end encryped. Meaning

You run an unsecure site on localhost which is not accessible to the outside.

Then you configure a tor service, this will setup a service that will route from tor to the local website (even if its not accessible from the outside) the service uses encryption by default meaning no request ever leaves the local computer without being encryped on the local computer first

The encrypted request is routed through tor nodes (when going through the servers, it will get encrypted another 3 times in layers, thats why its called onion routing) each node adds a layer

In the end the last tor node sends the request to the tor browser, the tor browser will decrypt the received message, even if the url itsself is http and there is no ssl encryption used, tor by default encrypts the request, I think it uses RSA1024 if I'm not mistaken

Situations where the connection is secure: domain ends in .onion

Situarions where it is not secure:
A gateway is used, which ends in onion.to or someting else, could also be a normal website which even provides a https certificate, but is still not secure.

This means I could enable all the features by using a tor gateway that supports https, which irronically is way less secure since everything could be logged as its completely decrypted on the gateway, and then gets encrypted again with ssl or tls

Edit: not sure if this matters but tor does not support udp, I think it routes udp requests over tcp

Yes, through the browser. Microsoft Edge: open edge://flags/ look for Insecure origins treated as secure.
Add the full url to code-server. This is however unsafe.

Other option is through code-server vscode settings.

Hi,
I'm trying to build a react application with the code server as an iframe. The code server is served over HTTPS (passing in the certificate via flags when launching code server) and when I tried to launch my react application in my local (http://localhost:3000/), I don't see any issues. However, when I deploy my react application to a domain (http://my-app.com/) that's when I'm getting the error that the OP posted and also a popup saying that
code-server is being accessed in an insecure context. Web views, the clipboard, and other functionality may not work as expected.
Also when I try to open the code server URL from the iframe to a new tab, I don't see this issue. Do I need to host my react application in HTTPS as well?

Version details:
code-server: v4.3.0
Code: 1.65.2
Commit: Unknown
Date: 2022年04月14日T21:04:05.402Z
Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

open chrome://flags/

search Insecure origins treated as secure

turn it on and write down your code-server address

restart your browser