[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 22 05:41:50 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #55 from Mike West <mkwst at chromium.org> ---
> that's what Mike is clearly suggesting that we do, and that's what Firefox and Chrome already do.
For clarity, Mike is suggesting that y'all first implement the restrictions in https://tools.ietf.org/html/draft-ietf-dnsop-let-localhost-be-localhost-02 such that `localhost` and `*.localhost` always resolve to loopback, and never hit the internet (see https://cs.chromium.org/chromium/src/net/dns/host_resolver_manager.cc?rcl=905e57ccac6951efcfbc514fe33839c6ede4fee2&l=2751 for example). I expect this would require CFNetwork changes for macOS, and might not be trivially implementable right away.
I don't think it's safe to treat `localhost` or `*.localhost` as secure contexts without that set of restrictions in place, as it's very unlikely that developers (or users!) understand that those names might resolve out to the internet in some cases.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191022/aeea08a0/attachment.html>
More information about the webkit-unassigned
mailing list