Using Web Cryptography API

Gao
Today, when I check security alerts from github code scanning alerts. I see one of them are an issue need to fix. It is the cryptography problem, that in javascript Math.random is a pseudo random number generator and can be easy guessed. So I have to fix this issue in my code. I check the code, and that most of random number is not used in crptography, they only for random select an object. But one utils that I need to fix is the old createUUID utils, it is written in pure javascript, it inplemenet the algorithms from rfc4122. Now in javascript, we can use the new crypt API. ### Web Crypto API [MDN link](https://developer.mozilla.org/en-US/docs/Web/API/Crypto) The Web Crypto API is an interface allowing a script to use cryptographic primitives in order to build systems using cryptography. #### Interfaces Some browsers implemented an interface called Crypto without having it well defined or being cryptographically sound. In order to avoid confusion, methods and properties of this interface have been removed from browsers implementing the Web Crypto API, and all Web Crypto API methods are available on a new interface: SubtleCrypto. The Crypto.subtle property gives access to an object implementing it. ### Crypto The `Crypto` interface represents basic cryptography features available in the current context. It allows access to a cryptographically strong random number generator and to cryptographic primitives. Note: This feature is available in Web Workers The `Web Crypto API` is accessed through the global `crypto` property, which is a `Crypto` object. #### Properties This interface implements properties defined on RandomSource. Crypto.subtle Read only Secure context Returns a SubtleCrypto object providing access to common cryptographic primitives, like hashing, signing, encryption, or decryption. #### Methods This interface implements methods defined on `RandomSource`. ##### `Crypto.getRandomValues()` Fills the passed `TypedArray` with cryptographically sound random values. ##### `Crypto.randomUUID()` Returns a randomly generated, 36 character long v4 UUID. #### Usage notes You should avoid using the Web Crypto API on insecure contexts, even though the Crypto interface is present on insecure contexts, as is the `crypto` property. In addition, the Crypto method `getRandomValues()` is available on insecure contexts, but the `subtle` property is not. In general, you probably should just treat Crypto as available only on secure contexts. #### Specifications **Specification** - [Web Cryptography API #crypto-interface](https://w3c.github.io/webcrypto/#crypto-interface)