[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Oct 20 10:03:10 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #50 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to antoine from comment #49)
> Makes sense - i actually got things to work by swapping 127.0.0.1 for
> localhost in the mixed content tests (along with the string in the expected
> result) but i guess the testcontroller is a cleaner approach. I'll give it a
> shot in a separate branch. Thanks Michael!
Oh, so you chose to whitelist only 127.0.0.1 and ::1, and not also localhost. In that case, modifying TestController is of course not required.
If you want to whitelist localhost as well -- which I expect is desired -- then you will need to add a TestController setting to make the tests pass.
But it's also fine to start out by whitelisting 127.0.0.1 and ::1, and leave localhost for a follow-up patch.
(In reply to antoine from comment #46)
> In that context, the fix would only be changing the function
> MixedContentChecker::isMixedContent line 62:
>
> return !SecurityOrigin::isSecure(url);
>
> to
>
> return !(SecurityOrigin::isSecure(url) ||
> SecurityOrigin::isLoopbackIPAddress(url));
Actually, it would be better to change SecurityOrigin::isSecure directly instead, since loopback can be trusted for all purposes, not just mixed content checking.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191020/d90a1585/attachment-0001.html>
More information about the webkit-unassigned
mailing list