[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. should not be considered mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 10 22:12:57 PDT 2017


--- Comment #3 from Alexey Proskuryakov <ap at webkit.org> ---
> Are you suggesting to block networking from a non-localhost web page to any localhost URL?


> What kind of risks are you envisioning?

This opens up any service listening to connections on loopback interfaces to attacks of any kind. A web page can exploit request parsing bugs, or it can exfiltrate data that was meant to only be made available to a loopback counterpart.

This is similar in spirit to attacks that were recently addressed by dropping support for HTTP/0.9.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170511/4f63e08c/attachment-0001.html>

More information about the webkit-unassigned mailing list