[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Oct 19 07:27:03 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=171934

--- Comment #47 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to antoine from comment #46)
> Michael Catanzaro: I see that SecurityOrigin.cpp has this 
> 
> // FIXME: Ensure that localhost resolves to the loopback address. 
> 
> in
> 
> bool SecurityOrigin::isLocalHostOrLoopbackIPAddress(StringView host)
> 
> I would suggest that the fix to this bug not tackle "localhost" resolution
> but focus on the loopback address, and a separate bug be filed for localhost.

In fact, the FIXME is not fixable at the WebKit level. DNS resolution is performed by platform libraries. In the case of WebKitGTK and WPE, that's done by GIO, which we just fixed in https://gitlab.gnome.org/GNOME/glib/merge_requests/616. For Mac, probably either CoreFoundation or perhaps the system resolver, not sure. It would be appropriate to replace the FIXME with a comment indicating that WebKit assumes localhost is always really localhost.

(In reply to antoine from comment #46)
> In that context, the fix would only be changing the function
> MixedContentChecker::isMixedContent line 62:
> 
> return !SecurityOrigin::isSecure(url);
> 
> to
> 
> return !(SecurityOrigin::isSecure(url) ||
> SecurityOrigin::isLoopbackIPAddress(url));

Nice investigation!

> Modifications to tests would involve replacing 127.0.0.1 to localhost at the
> appropriate places (which would then be modified as necessary as part of a
> separate bug to tackle localhost rules).

I'm not sure if it will be that easy. E.g. this change will likely break all the mixed content tests. I think we will just need to have a setting that tests can use to choose which behavior they get. See my suggestion in comment #43

> Would a fix with those changes be acceptable?

I *believe* we have consensus on this change at this point, so as long as there's a new test and it doesn't break old tests, I think so. Seems clear that the test work will be harder than the change itself.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191019/a8fa8ac4/attachment.html>

More information about the webkit-unassigned mailing list