[Webkit-unassigned] [Bug 186039] Prevent websites from talking to loopback interface (127.0.0.1, localhost)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 30 13:11:04 PDT 2018


https://bugs.webkit.org/show_bug.cgi?id=186039

--- Comment #12 from ctclements at gmail.com ---
(In reply to Brent Fulgham from comment #11)
> This makes it seem like the security aspects of your 'solution' are being
> hidden from the IT department, because your installer likely does not
> explicitly mention a new web-accessible service is being activated. The
> Certificate requirement (and the admin authentication required) is
> triggering action on behalf of the IT department, which is exactly the right
> thing to be happening.
> 
> I.e., your "So far, no issues there." just means that in the security risk
> being introduced is hidden from all parties, while the Certificate
> activation requirement forces someone to think about what's happening.

While it may seem to appear that way over the course of a handful of quickly typed paragraphs, I can assure you that our users (or really their IT departments) are aware of what they are installing in this case.

That is all irrelevant though.  The point here is that developers need to know if WebKit will follow the w3c specs or not.  If WebKit will not follow them here, what else will they not follow them on?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180530/17b72f86/attachment.html>


More information about the webkit-unassigned mailing list