[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 15 16:29:03 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #28 from youenn fablet <youennf at gmail.com> ---
It is unclear to me why we relate mixed content checks with localhost access.
Attacks to localhost servers are currently easy to do no matter mixed content or not, I do not see what protection we get there.
As for web sites that get data from localhost, they are doing the requests so they should know what the security model is.
Some workarounds:
- Self signed certificates :(
- Deliver the web site through HTTP :(
- Make the connection between browser and localhost server go through a proxy: HTTPS/WSS/WebRTC. The localhost server would need to keep a connection with this proxy so that it is available or it should be 'waken up' by making the browser navigating to it.
We should think of the best way to protect Web apps/WebKit apps from these attacks (and probably LAN server access in general). Maybe an opt-in or content blockers could help there.
It is reasonable to think that some WebKit applications will want to allow access to 127.0.0.1 and for good reasons. I do not see why mixed content checks should interfere with such apps.
Aligning with the spec makes sense to me at this point.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180815/47f14b9f/attachment.html>
More information about the webkit-unassigned
mailing list