[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 28 13:21:09 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=171934
Alexey Proskuryakov <ap at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.webkit.org/sho
| |w_bug.cgi?id=186039
--- Comment #25 from Alexey Proskuryakov <ap at webkit.org> ---
I actually think that getting users trust a certificate is better for multiple reasons.
1. It greatly reduces the impacted group, and makes it a less interesting target.
2. It requires doing something that would be a deterrent to proceeding, which is good. One may decide to limit the hack to a VM, or use a less secure secondary browser just for this purpose, or make the vendor change their approach, or decide to not work with this vendor at all. All of those are better for security.
> I can partially agree on this but there should be an alternative.
I'm not sure why you are insisting that a web browser ever needs to talk to locally installed software and hardware at all. This is low benefit and high risk.
If we had to provide an opt-in, I would argue that it should be implemented in a way that discourages its use. Installing a trusted certificate doesn't sound so bad. Another alternative could be a Developer menu option that allows 127.0.0.1 access just for the currently open window. Or maybe one can take a clue from how NPAPI plug-ins are handled by each browser.
> If you have a concrete plan to start blocking all localhost content in the near future, then obviously this should be WONTFIX.
Good point, let's make it concrete in bug 186039.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180528/81202780/attachment.html>
More information about the webkit-unassigned
mailing list