[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 20 08:57:06 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=171934

--- Comment #70 from Frédéric Wang (:fredw) <fred.wang at free.fr> ---
Hi. There are a lot of comments in this discussion, I'd just like to try to summarize things and see be sure I understand the situation.

== Bug content ==

This bug is about not treating loopback adresses as mixed content:

(1) Required by the specification: 127.0.0.1 and ::1
(2) Optional: localhost and *.localhost

In addition for (2)

(3) the spec adds the restriction that browsers must ensure they don't resolve to a non-loopback address.

== Positions of people ==

* IIUC Mozilla and Chromium developers implemented (1)+(2)+(3)
* Several users expressed their support for (1)+(2).
* Maintainers of WebKit Linux ports (at least Michael, but I'm personally in favor too) expressed their support too for aligning with the spec.
* Some maintainers of WebKit macOS/iOS ports find the proposed change sensible/ok (Youenn and Maciej) others expressed concerns (Brent and Alexey). Can you please elaborate whether these concerns apply to both (1)+(2) or just (2)? Also, would they be addressed by implementing (3) or do you think the current specs are still too lax and WebKit should keep departing from them?

== Development ==

* Michael and Antonio have investigated this a bit (thanks!). Are you still actively working on this? Do you have patches to share?
* Tests are likely to break. We can workaround this for (1) by relying on localhost instead of 127.0.0.1 but at the end we will still need a better solution when we implement (2) such as the one Michael sketched.
* Implementing the restriction (3) might require change in low-level libraries. This is already done in GLib but for proprietary ports like macOS/iOS this will be up to Apple to handle it. However gecko and chromium developers implemented this, so it seems they could still be done at the web engine level?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200720/e9af2ad5/attachment-0001.htm>

More information about the webkit-unassigned mailing list