[Webkit-unassigned] [Bug 186039] Prevent websites from talking to loopback interface (127.0.0.1, localhost)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 31 09:17:09 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=186039
--- Comment #14 from ctclements at gmail.com ---
(In reply to Alexey Proskuryakov from comment #13)
> Which standard are you talking about? Web browsers block dangerous resource
> loads all the time for all kinds of reasons. This one is not much different
> from blocking file: URLs loads from remote webpages, for example.
The first comment on https://bugs.webkit.org/show_bug.cgi?id=171934 shows the w3c spec. It also shows the Chrome and Firefox takes on the issue. Here is the Edge link as well - https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/11963735/
If WebKit refuses to match Chrome/Firefox/Edge, that is of course your decision, but surely you can see the headache this causes developers when one browser doesn't follow the others.
If you truly believe this is a legitimate security concern, please reach out to the other teams so that we can arrive at a consensus. It doesn't benefit anyone to have browsers doing different things in this aspect.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180531/84c1f7a8/attachment.html>
More information about the webkit-unassigned
mailing list