[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. should not be considered mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 24 01:07:19 PST 2019


--- Comment #38 from Tim Perry <pimterry at gmail.com> ---
Totally agree with the above, thanks for reopening this!

A couple of additional points on the two risks you pointed out, just to reinforce that they're not a concern:

> Pages could exploit local web services that weren't meant to be accessed from an untrusted source.

This same risk applies equally to any non-localhost web application. The real defence against this attack is for local web services to use CORS appropriately to manage cross-domain requests, like any other domain. That blocks these requests entirely and solves this issue (assuming localhost doesn't have any special CORS behaviour, which is true afaik).

> Trojan software could install a trap version of a local web service that aims to exploit the page making use of it.

You mentioned that malicious software running on your computer likely already poses a larger threat here, which is certainly true.

In addition though, malicious software running on your computer could easily include a valid certificate for a real domain that resolves to localhost (localhost.evil.com), and then host a secure HTTPS service on localhost, to avoid all warnings.

Even if your trojan does need to interact with a web session for some reason, it's very easy to defeat localhost mixed content protection like this.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190124/7b8ddf48/attachment.html>

More information about the webkit-unassigned mailing list