[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 30 23:58:18 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #8 from Birunthan Mohanathas <birunthan at mohanathas.com> ---
(In reply to Alexey Proskuryakov from comment #6)
> I don't see any explanation in the linked issues of why it's desirable for
> non-local pages to access localhost. It's incredibly unlikely to be a
> legitimate use of web technology.
Several popular desktop applications (e.g. Spotify) install a server that binds to a localhost port. The web application (e.g. spotify.com) then uses the localhost server to control the desktop application. In order to work around the mixed-content blocker, the web application connects over HTTPS to a host (e.g. *.spotilocal.com) that simply points to 127.0.0.1:
For example:
$ dig xkbyzltjth.spotilocal.com A +short
127.0.0.1
You can see the spotilocal.com requests e.g. on this page: https://developer.spotify.com/technologies/widgets/spotify-play-button/
This ugly hack suffers from a number of problems: it doesn't work when offline due to DNS resolution failure, it doesn't work through proxies, etc.
Please keep in mind that Chrome and Firefox Nightly already allow plain HTTP connections to 127.0.0.1 without triggering the mixed content blocker. Edge is also planning to allow it (https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/11963735/). For web compatibility, please consider allowing it in Safari as well.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170531/a725fe55/attachment.html>
More information about the webkit-unassigned
mailing list