WebXR on a server that isn't secure

I’ve run a few tests with Babylon JS in a handful of Oculus devices and I’ve noticed that VR content doesn’t seem to work on websites that use http instead of https. That is, the canvas doesn’t load with 3D data at all, period, without the SSL certificate. I just get a blank white canvas.

Does anyone know if there is a way to circumvent this? Is this an feature of Oculus, Babylon JS, or just a bug?

Think https is right in the spec for WebXR, so no backdoor.

What I did was create my own certicate authority, then create my own certificate with my authority. Windows, where my server is hosted, complains when you try to add the authority, but does it. You then add the certificate to the server.

On the device, the browser has a real tantrum, but complies. This is a low level solution. I have done this before. Someone else probably has a less brutal method. Maybe the on desktop emulator will work. I never ran that.


“This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.”

I believe the main reason is that WebXR intrinsically provides precise, fingerprint type, real world data. Here’s an explainer document about it:

With Oculus, it’s also possible to disable the HTTPS check in Chrome browser and access content over the ADB link, thus circumventing as a developer. Here’s someone’s write-up on that option:

But generally for doing dev/testing, per JC Palmer’s answer, it’s easier to run a HTTPS capable server. The Oculus browser will work with self-signed certificates. Many newer dev environment starting templates will have the option to start a HTTPS server such that they will create self-signed certificates automatically if you don’t want to create/use your own. The recent rework of the babylon.js build/dev system servers have that option too.

1 Like