[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content

Mon May 28 03:34:29 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=171934

--- Comment #23 from Luca Cipriani <l.cipriani at arduino.cc> ---
(In reply to Alexey Proskuryakov from comment #1)
> We should consider blocking cross origin access to localhost completely,
> it's a pretty terrible security risk.

Hi Alexey,

I can partially agree on this but there should be an alternative. Please also look at how chrome is addressing it (being discussed since March 2014

https://bugs.chromium.org/p/chromium/issues/detail?id=378566

Now the fact you can easily screw up everything anyway by just calling a plain http website that calls http://127.0.0.1 does not mean with Mixed-Content cors you are increasing the overall security of your users. in fact you are decreasing security because to use this feature users installs CA certificates.

This is what we are doing now: https://letsencrypt.org/docs/certificates-for-localhost/ plus signing every request coming from the web to verify they are coming from our specific servers, but this is a problem of the server running on localhost that needs some sort of security and authentication system. (I remember CUPS using username/pass of the root users on many systems since the early days.)

In my opinion your are not solving the security issue enforcing mixed content error for 127.0.0.1, an attacker can still circumvent it by using a plain http webstie. You will do if you completely remove 127.0.0.1 to be contacted from the web but then please provide an api to let web application contact the hardware, we are no more in '90s.

To mention Mike West which I believe is the main expert in the world about CORS policy for browsers:

https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

"Currently, mixed content checks block http://127.0.0.1 from loading in a
page delivered over TLS. I'm (belatedly) coming around to the idea that
that restriction does more harm than good. In particular, I'll note that
folks are installing new trusted roots and self-signing certs for that
IP address, exposing themselves to additional risk for minimal benefit.
Helpful locally installed software is doing the same, with even more
associated risk."

Our alternative is to tell the user just use any other browser engine than WebKit. So please let us know if you want to include the change in the roadmap or at least let us know if it is going to be WONTFIX so we can phase WebKit out or not accordingly.

Thank you!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180528/fcbe7e1f/attachment-0001.html>