[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Oct 20 12:31:12 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #51 from antoine at thirdshelf.com ---
(In reply to Michael Catanzaro from comment #50)
> Oh, so you chose to whitelist only 127.0.0.1 and ::1, and not also
> localhost. In that case, modifying TestController is of course not required.
>
> If you want to whitelist localhost as well -- which I expect is desired --
> then you will need to add a TestController setting to make the tests pass.
>
> But it's also fine to start out by whitelisting 127.0.0.1 and ::1, and leave
> localhost for a follow-up patch.
Sounds good - that's the approach i'm more comfortable with as i'm not certain of the implications of whitelisting localhost (see https://www.w3.org/TR/secure-contexts/#localhost "Given that uncertainty, this document errs on the conservative side by special-casing 127.0.0.1, but not localhost.").
> Actually, it would be better to change SecurityOrigin::isSecure directly
> instead, since loopback can be trusted for all purposes, not just mixed
> content checking.
Makes sense - will make the modification.
This should allow all present tests to pass. In terms of new tests - should we duplicate all of the mixed-content tests to check for 127.0.0.1 / ::1 or have only one test for that specific use case?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191020/733ad314/attachment.html>
More information about the webkit-unassigned
mailing list