[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 18 13:48:07 PST 2017


https://bugs.webkit.org/show_bug.cgi?id=171934

--- Comment #15 from Brent Fulgham <bfulgham at webkit.org> ---
(In reply to Brent Fulgham from comment #14)
> I do not support this requested change in behavior. Allowing HTTP from
> localhost to be included in a secure page is a terrible idea for a few
> reasons:
> 
> 1. There is no guarantee that the server being used is the one the page
> content was expecting to connect to. E.g., a trojan server running as part
> of an application you installed intercepts file transfer information when
> you go to an external cloud storage server site.
> 
> 2. Content served through the local HTTP server can pull insecure
> information from anywhere on the internet, serve it to the hosting page, and
> completely undermine the protections HTTPS is supposed to provide.
> 
> We should do more to block this kind of poor design, not encourage it.

Also: There's nothing to prevent /etc/hosts from directing a localhost address in the HTTPS application to some random place.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171218/91bbdfff/attachment-0001.html>


More information about the webkit-unassigned mailing list