[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 9 14:34:11 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #11 from homakov <homakov at gmail.com> ---
>This opens up any service listening to connections on loopback interfaces to attacks of any kind. A web page can exploit request parsing bugs, or it can exfiltrate data that was meant to only be made available to a loopback counterpart.
That's kind of true, but why not just open up localhost that opts-in to be accessed? Preflight? Why kill communication entirely when there are a ton of use cases when localhost actually wants to be available?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170609/7cb89e63/attachment.html>
More information about the webkit-unassigned
mailing list