[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=171934

--- Comment #56 from antoine at thirdshelf.com ---
(In reply to Michael Catanzaro from comment #54
> Well some developers might prefer duplicating all the tests in order to be
> thorough, but honestly I think that would create more maintenance effort
> than actual value. So after you've switched from 127.0.0.1 to localhost in
> the tests, I would duplicate only one really basic test, say
> insecure-image-in-main-frame.html, call it
> insecure-image-in-loopback-main-frame.html, and verify that the content is
> not blocked when using 127.0.0.1 instead of localhost. IMO the one test
> should suffice.

Sounds good, thanks for the feedback.

> Then we should create a follow-up bug to consider *.localhost as a secure
> context as well (which requires verifying that it is indeed secure when
> using the Cocoa and curl network backends, as it now is for the soup
> backend), since that's what Mike is clearly suggesting that we do, and
> that's what Firefox and Chrome already do. Of course, bonus points if you
> want to go all the way and do it this way initially, but not required IMO.

Agreed, fixing loopback as a first step is risk-free and will address the pains everyone expressed in this thread. Mike brought some great points and I’ll let a more experienced developer tackle localhost.

I just ran the entire regression suite though and it seems like we can’t avoid a TestController for some tests that rely on 127.0.0.1 to be insecure and need a cross-domain origin from localhost. This testcontroller will anyways be useful the day localhost becomes trusted as well.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191022/5fa6af52/attachment.html>