[Webkit-unassigned] [Bug 186039] Prevent websites from talking to loopback interface (127.0.0.1, localhost)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 15 13:16:20 PDT 2018


https://bugs.webkit.org/show_bug.cgi?id=186039

antoine at thirdshelf.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |antoine at thirdshelf.com

--- Comment #16 from antoine at thirdshelf.com ---
This issue of blocking localhost as well as not allowing mixed content is completely blocking Safari from multiple important use cases. The IoT field and the fintech/payments field are full of use cases for talking to localhost. Example: a point of sale running in the browser needs to talk to a server on localhost to send a payment request to a terminal on the network. Everything on the web being https nowadays, the browser needs to be able to talk to a http service on the machine. Self-signed certificates are non-sense in this context.

I fail to understand the rationale to block localhost here.
- Developers are giving you valid use cases
- It's in the spec
- Other browsers implement it
- There are no workarounds

If there were credible attacks based on this feature, you'd see Chrome and Firefox users being attacked left and right. This is not the case.

Can we please allow this so that the Web doesn't take a step backwards, and so that we don't have to tell our users "oh you need to use Chrome or Firefox, this doesn't work on Safari". There's a spec - don't be an IE6 developer.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180815/fad42dff/attachment.html>


More information about the webkit-unassigned mailing list