[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 24 01:07:19 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #38 from Tim Perry <pimterry at gmail.com> ---
Totally agree with the above, thanks for reopening this!
A couple of additional points on the two risks you pointed out, just to reinforce that they're not a concern:
> Pages could exploit local web services that weren't meant to be accessed from an untrusted source.
This same risk applies equally to any non-localhost web application. The real defence against this attack is for local web services to use CORS appropriately to manage cross-domain requests, like any other domain. That blocks these requests entirely and solves this issue (assuming localhost doesn't have any special CORS behaviour, which is true afaik).
> Trojan software could install a trap version of a local web service that aims to exploit the page making use of it.
You mentioned that malicious software running on your computer likely already poses a larger threat here, which is certainly true.
In addition though, malicious software running on your computer could easily include a valid certificate for a real domain that resolves to localhost (localhost.evil.com), and then host a secure HTTPS service on localhost, to avoid all warnings.
Even if your trojan does need to interact with a web session for some reason, it's very easy to defeat localhost mixed content protection like this.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190124/7b8ddf48/attachment.html>
More information about the webkit-unassigned
mailing list