[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 21 21:50:03 PDT 2019


https://bugs.webkit.org/show_bug.cgi?id=171934

--- Comment #53 from Mike West <mkwst at chromium.org> ---
(In reply to antoine from comment #51)
> (In reply to Michael Catanzaro from comment #50)
> > Oh, so you chose to whitelist only 127.0.0.1 and ::1, and not also
> > localhost. In that case, modifying TestController is of course not required.
> > 
> > If you want to whitelist localhost as well -- which I expect is desired --
> > then you will need to add a TestController setting to make the tests pass.
> > 
> > But it's also fine to start out by whitelisting 127.0.0.1 and ::1, and leave
> > localhost for a follow-up patch.
> 
> Sounds good - that's the approach i'm more comfortable with as i'm not
> certain of the implications of whitelisting localhost (see
> https://www.w3.org/TR/secure-contexts/#localhost "Given that uncertainty,
> this document errs on the conservative side by special-casing 127.0.0.1, but
> not localhost.").

Note that this changed several years ago: https://w3c.github.io/webappsec-secure-contexts/#localhost is the current text, which relies upon https://tools.ietf.org/html/draft-ietf-dnsop-let-localhost-be-localhost-02 to lock down `*.localhost` (which I wasn't able to successfully get through DNSOP, but which Chrome and Firefox implement).

AFAIK, Chrome and Firefox both treat explicit loopback in the forms `127.0.0.1`, `[::1]`, and `*.localhost` as secure contexts.

For tests that needed to distinguish the difference (and so that we can test multiple origins more clearly), we map arbitrary addresses (e.g. `http://layout.test/`) to loopback: see https://cs.chromium.org/chromium/src/content/shell/app/shell_main_delegate.cc?rcl=dfa06417b4ff75a88202b0359fa914212f52e7b0&l=262. That might be an approach that could work for WebKit as well?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191022/6293ff10/attachment.html>


More information about the webkit-unassigned mailing list