[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 18 20:43:35 PST 2017


https://bugs.webkit.org/show_bug.cgi?id=171934

--- Comment #16 from homakov <homakov at gmail.com> ---
There are people in the thread with real world use cases who you just called poor design and offered some strawman arguments on "localhost server being bad".

>Also: There's nothing to prevent /etc/hosts from directing a localhost address in the HTTPS application to some random place.

>1. There is no guarantee that the server being used is the one the page content was expecting to connect to.

And how is this a problem for a localhost helper that verifies Origin and asks explicit confirmation to do an action for example? This design does not imply trusting 3rd party server.

>2. Content served through the local HTTP server can pull insecure information from anywhere on the internet, serve it to the hosting page, and completely undermine the protections HTTPS is supposed to provide.

Also, this localhost server can execute untrusted GET params, 

>this kind of poor design, not encourage it.

Be've been happy with behavior of Chrome on this matter and will surely recommend users to use the browser that follows web standards.

And what about all those helpers that run in localhost? Ever heard of Ethereum? New breed of authentication solutions? It is crucial to be able to talk to local daemons.

A whole new range of use cases where you cannot upgrade the browser itself but you can install a standalone daemon and let the browser talk to it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171219/4b1d885c/attachment.html>


More information about the webkit-unassigned mailing list