[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. should not be considered mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 28 08:28:19 PDT 2018


Michael Catanzaro <mcatanzaro at igalia.com> changed:

           What    |Removed                     |Added
                 CC|                            |mkwst at chromium.org

--- Comment #24 from Michael Catanzaro <mcatanzaro at igalia.com> ---
(In reply to Luca Cipriani from comment #23)
> To mention Mike West which I believe is the main expert in the world about
> CORS policy for browsers:

I don't know much about CORS, but at least he's definitely the authority on mixed content. In bug #140625 I'm tracking other cases where WebKit's behavior diverges from his specs. If you see any other bugs related to mixed content, adding a dependency on bug #140625 would be appreciated.

(In reply to Alexey Proskuryakov from comment #22)
> As mentioned in comment 1, I think that we should block localhost access for
> http too.

I won't comment on that whether or not WebKit should do that.

If you have a concrete plan to start blocking all localhost content in the near future, then obviously this should be WONTFIX.

But I rather doubt that will really happen. So long as WebKit continues to allow localhost access for http://, I'm pretty sure it really does not make any sense to block mixed content from So if we treat this solely as a mixed content issue, and assume WebKit will continue to allow loading content from localhost, then we should reopen this bug.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180528/6e36d1cc/attachment-0001.html>

More information about the webkit-unassigned mailing list