[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 28 08:28:19 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=171934
Michael Catanzaro <mcatanzaro at igalia.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mkwst at chromium.org
--- Comment #24 from Michael Catanzaro <mcatanzaro at igalia.com> ---
(In reply to Luca Cipriani from comment #23)
> To mention Mike West which I believe is the main expert in the world about
> CORS policy for browsers:
I don't know much about CORS, but at least he's definitely the authority on mixed content. In bug #140625 I'm tracking other cases where WebKit's behavior diverges from his specs. If you see any other bugs related to mixed content, adding a dependency on bug #140625 would be appreciated.
(In reply to Alexey Proskuryakov from comment #22)
> As mentioned in comment 1, I think that we should block localhost access for
> http too.
I won't comment on that whether or not WebKit should do that.
If you have a concrete plan to start blocking all localhost content in the near future, then obviously this should be WONTFIX.
But I rather doubt that will really happen. So long as WebKit continues to allow localhost access for http://, I'm pretty sure it really does not make any sense to block mixed content from 127.0.0.1. So if we treat this solely as a mixed content issue, and assume WebKit will continue to allow loading content from localhost, then we should reopen this bug.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180528/6e36d1cc/attachment-0001.html>
More information about the webkit-unassigned
mailing list