[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 26 17:58:52 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #63 from homakov <homakov at gmail.com> ---
There is no danger in access to 127.0.0.1 as it was shown many times in this thread. To sum it up:
1. all other browsers behave correctly, Safari doesn’t
2. no serious attack was found that works on other browsers but doesnt in Safari
3. fingerprinting loopback services such as Redis or Mongodb is rather pointless against 99% users. The developers are powerusers and can handle it.
4. fingerprinting has nothing to do with the subject (https to localhost connection). You still can perfectly access localhost from http:// websites. Allowing it from https:// changes nothing.
5. the only reason Mixed content warnings exist is to prevent spoofing or leaking dat to a middle man, which is not the case when http:// points to 127.0.0.1 and not a remote server.
There is no middle man between my browser and localhost. Or is there?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200527/54bac45b/attachment.htm>
More information about the webkit-unassigned
mailing list