[Webkit-unassigned] [Bug 186039] Prevent websites from talking to loopback interface (127.0.0.1, localhost)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 29 09:59:30 PDT 2018


https://bugs.webkit.org/show_bug.cgi?id=186039

--- Comment #4 from homakov <homakov at gmail.com> ---
> Also, not sure which CA root risk you are talking about in this context

I've clicked the wrong link, the response belongs to https://bugs.webkit.org/show_bug.cgi?id=171934

>and how this used to work for a long time, so several developers came to rely on this feature.

Used to and still perfectly works in all other browsers. I wouldn't post it here if Safari wasn't the only one violating the spec.

Why do we have to develop for different browsers with different code strategy? Wasn't the shared spec created exactly to avoid that?

>However, user security and privacy is the primary consideration by far.

And here's what hit my nerve the most. Look, I know a thing or two about web security and threat model of the web (look up track record on sakurity.com) and there is nothing wrong for a web page to talk to localhost *when localhost wants it*.

PS. You could've made a good argument mentioning DNS rebinding (RCE in rails/redis) but you didn't. And DNS rebinding is considered a vulnerability in a localhost service, not the browser.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180529/8af5996d/attachment.html>


More information about the webkit-unassigned mailing list