[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 27 06:02:55 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #67 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to Alexey Proskuryakov from comment #62)
> With the recent reports of websites fingerprinting machines using loopback
> connections, it seems even more obvious that this is a technique that needs
> to be at least restricted.
I agree that's something we probably need to start thinking about, because we have agreed anti-fingerprinting is a priority for WebKit that may take precedence over web compat. But it really has nothing to do with mixed content. Mixed content checks are not a good anti-fingerprinting measure because they can be trivially circumvented by using an http:// URI as the main resource rather than an https:// URI. A rule like "only localhost URIs may access localhost" might make sense to propose in another bug, but even if we do that, the mixed content behavior should still be changed; i.e. there's no need to display a security warning when https://127.0.0.1 loads content from http://127.0.0.1.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200527/13adcc29/attachment.htm>
More information about the webkit-unassigned
mailing list