[Webkit-unassigned] [Bug 186039] Prevent websites from talking to loopback interface (, localhost)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 30 12:52:29 PDT 2018


--- Comment #11 from Brent Fulgham <bfulgham at webkit.org> ---
(In reply to ctclements from comment #10)
> (In reply to Brent Fulgham from comment #9) 
> > I doubt IT departments are excited about you running invalidated server
> > software on their corporate machines. Installing a certificate is a very low
> > bar in comparison.
> So far, no issues there.  Is there a way that self-signing a certificate and
> installing it makes make my server software any more or less validated?

This makes it seem like the security aspects of your 'solution' are being hidden from the IT department, because your installer likely does not explicitly mention a new web-accessible service is being activated. The Certificate requirement (and the admin authentication required) is triggering action on behalf of the IT department, which is exactly the right thing to be happening.

I.e., your "So far, no issues there." just means that in the security risk being introduced is hidden from all parties, while the Certificate activation requirement forces someone to think about what's happening.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180530/d7c6a42b/attachment.html>

More information about the webkit-unassigned mailing list