[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 23 09:35:26 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=171934

Tim Perry <pimterry at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pimterry at gmail.com

--- Comment #35 from Tim Perry <pimterry at gmail.com> ---
Just to chime in here too, my application (https://httptoolkit.tech) also requires localhost access from the web. My application consists of a hosted web UI which interacts with an installed desktop service, that's used to start & manage other local applications & servers.

My app works in every modern browser except Safari, and unfortunately I'm going to have to simply tell that to users.

I can still see objections here that there's no good use case for web to localhost communication. I'd like to reiterate the evidence from this thread against that, so we can clear that argument out of the way:

* Major common applications like Spotify need this behaviour to interact with desktop applications from the web. They currently work suboptimally because of their workarounds for this (with spotilocal - see comment #8 above).

* Many hardware companies use this behaviour to build web UIs that can interact with attached hardware, including Arduino, with software depending on this running on hundreds of thousands of devices. WebUSB may resolve this for USB devices, but not yet, and only for USB devices specifically.

* There's a substantial ecosystem of Ethereum sites built entirely around localhost communication from the web: https://github.com/ethereum/web3.js

* Many developers like myself in this thread, whose applications are broken by this behaviour, in Safari only.

Imo all of these use cases are reasonable, so it's certainly not the case that there's no legitimate use cases at all.

Could anybody summarize the outstanding security concerns around this? What specific attacks would this expose users to? It would be great to try & make progress here if possible, or to find concrete security issues that could be relevant to the other browsers that have implemented this if not.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190123/8397ba48/attachment.html>

More information about the webkit-unassigned mailing list