thank you for the suggestion.
Can you develop the idea further, please? As far as I know, that function can be called from any environment, even the backend, and does not relate to http/https or it’s specific to the frontend.
Yes, good point. The issue is specific to the frontend. window.crypto.randomUUID is only available in some contexts, based on this answer. This tripped us up recently on a frontend project. It took a while to find the source of the issue. I think this has happened to us before as well. So it would be good if we could just have a rule that will flag this to any developer trying to use it in future.
Thanks for the clarification. I was not aware myself that it was not available on insecure contexts. I see in MDN that the same applies to other properties of the Crypto interface.
Not sure we are able to detect the context from a pure static analysis perspective, but I’ll discuss this internally with the team and let you know.
Thanks, Victor. Even a global on/off flag for this rule in our projects would allow us and others to catch this. It’s so easy to slip through code/qa reviews but we ideally never want someone using it in our frontend projects.
Could you elaborate on which context you are using HTTP?
Most users running a public server would use HTTPS. Is your use case something else?
We have a few levels of environment internally. In our pipelines we can create a “topic” environment from any git branch. This can be used for testing, demos, troubleshooting: basically any time someone other than a dev wants to use software built form a git branch quickly. These use htttp connections. We developed an internal library for other teams and tested it on localhost and https contexts. But once we signed it off and gave it to other teams they found issues in their demos and testing.