[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 10 22:12:57 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #3 from Alexey Proskuryakov <ap at webkit.org> ---
> Are you suggesting to block networking from a non-localhost web page to any localhost URL?
Correct.
> What kind of risks are you envisioning?
This opens up any service listening to connections on loopback interfaces to attacks of any kind. A web page can exploit request parsing bugs, or it can exfiltrate data that was meant to only be made available to a loopback counterpart.
This is similar in spirit to attacks that were recently addressed by dropping support for HTTP/0.9.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170511/4f63e08c/attachment-0001.html>
More information about the webkit-unassigned
mailing list