[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. should not be considered mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 22 05:41:50 PDT 2019


--- Comment #55 from Mike West <mkwst at chromium.org> ---
> that's what Mike is clearly suggesting that we do, and that's what Firefox and Chrome already do.

For clarity, Mike is suggesting that y'all first implement the restrictions in https://tools.ietf.org/html/draft-ietf-dnsop-let-localhost-be-localhost-02 such that `localhost` and `*.localhost` always resolve to loopback, and never hit the internet (see https://cs.chromium.org/chromium/src/net/dns/host_resolver_manager.cc?rcl=905e57ccac6951efcfbc514fe33839c6ede4fee2&l=2751 for example). I expect this would require CFNetwork changes for macOS, and might not be trivially implementable right away.

I don't think it's safe to treat `localhost` or `*.localhost` as secure contexts without that set of restrictions in place, as it's very unlikely that developers (or users!) understand that those names might resolve out to the internet in some cases.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191022/aeea08a0/attachment.html>

More information about the webkit-unassigned mailing list