Connecting doesn't work in Safari #38
Comments
|
I think @tejas-crabnebula has put this best: |
|
Hey @CrabNejonas, thanks for the deep dive. Yeah, Safari can be a pain, right? I was thinking the same thing actually. We shouldn't let this slow us down. I also want to point out that we're not the only ones using websockets for this sort of thing. Chromium, Deno, Node.js, and even Bun use it too. So, I don't think we should go all out trying to change it. About the Safari issue, why don't we just bundle the UI into a Tauri app? This could be our go-to solution for Safari users or anyone else having issues with insecure websockets. Plus, it could be a cool feature if we decide to charge for the app later on. (could have a premium version with more features etc...) Let's keep the ball rolling and not get stuck on browser issues. |
If we do a Tauri app distribution I want us to do it right, not as an afterthought I so would like to just put this off for now. As for the rest: Agreed 👍 |
|
Do we know that WKWebview on Safari will not have similar problems for Mac Users? |
|
And we are planning on a Tauri app distribution target. This is why I asked Lucas to set one up here. Let's verify that it works (or doesn't) and go from there. |
I have been building apps with grpc-web in Tauri in the past no problems there, I assume the same goes for jsonrpc/websockets |
|
can this issue be closed? |
|
No the issue still stands, regardless of whether we use json-rpc or grpc or anything else we cannot connect from a website hosted on |
|
Is there a way for us to read from a recorded logfile? Use an intermediary
service?
|
Currently, the UI is a website that will be hosted at
debug.crabnebula.dev(or similar) where it will attempt to make a connection tows://localhost:PORTwherePORTis the port that the local instrumented apps JSON-rpc server is listening on.This works fine in Chrome and Firefox, but not in Safari (ofc sigh).
Judging by this webkit ticket it also seems like this is not going to be fixed anytime soon, even though it technically goes against the current W3C standard. It seems like the Safari team and higher management within apple treat this behaviour "as intended" likely so they can claim better security and privacy than other browsers.
In short: This situation will remain as-is for the foreseeable future.
So what do we do about it? We essentially have two options:
local.devtools.crabnebula.dev) add that builtin SSL certificate to the local devices keychain and then we can connect viawss://orhttps://Option 2
This means detecting Safari and prompting people to use a different browser. I spoke with @atila-crabnebula about this and we realised we don't have any data on this. So lets do some data science aye:
This chart shows a breakdown of the
@tauri-apps/cliinstalls by OS, taken from the downloads of each os-arch specific sub package published to npm (like this one). Here's a more detailed breakdown that also includes breaks this down by arch and variant:Now, this data is probably skewed by all sorts of factors:
@tauri-apps/cliis commonly used in CI, the large market share of linux can be explained by the many installs in GH action runners.I realised we also did a survey (results can be found here) that also included a question about OS the participants would want to develop for (if I remember correctly).
This indicates 18.8% of survey participants are interested in developing apps for macOS, which requires using macOS to develop.
Again, this data is also skewed in all sorts of ways (mostly age breakdown, survey participants were overwhelmingly early in their careers)
But taken together I think it is safe to assume that roughly 15-25 percent of our user base regularly develop for macOS.
Regardless of how big the Safari market share actually is, for those that are primarily safari users this means in the worst case:
I hope this helps to illustrate how this impacts user velocity. Additionally, this would introduce a repeated slowdown for users if they don't want to set the new browser as their default: They would have to manually copy&paste the link every time.
Option 1
I don't have much input to give on option 1, except that it just screams nightmare to me as it would boil down to calling a command like this:
I would love input from our security experts here @tillmann-crabnebula @chip-crabnebula @felsweg-crabnebula
So based on this, what would be my recommendation?
Given our deadlines and the amount of features we want to ship, speed is paramount. Because of this I would recommend we just go with option 2 and not support Safari for the time being at least until we have decided how devtools shall be distributed in general at which point we should revisit this issue.
@atila-crabnebula and @david-crabnebula have indicated they agree with this direction.
The text was updated successfully, but these errors were encountered: