[Webkit-unassigned] [Bug 186039] Prevent websites from talking to loopback interface (127.0.0.1, localhost)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 31 09:43:53 PDT 2018


https://bugs.webkit.org/show_bug.cgi?id=186039

--- Comment #15 from Alexey Proskuryakov <ap at webkit.org> ---
That bug and the referenced spec are about mixed content handling. That's not a normative reference for what is under discussion here. The idea here is to block all loopback subresource loads from actual web pages, regardless of whether those are http or https.

> please reach out to the other teams so that we can arrive at a consensus.  It doesn't benefit anyone to have browsers doing different things in this aspect.

WebKit is deeply committed to interoperability. Depending on the details of the final solution, it may be more or less suitable for coordination with other vendors. Changes that are primarily in browser UI (e.g. how https certificates are displayed in address bar) are generally made by browser vendors unilaterally. But that would be outside the scope of this WebKit bug anyway, as each browser that embeds WebKit makes its own decisions.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180531/44e9a652/attachment.html>


More information about the webkit-unassigned mailing list