[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 28 07:57:27 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #77 from Frédéric Wang (:fredw) <fred.wang at free.fr> ---
I had tried to summarize my understanding in comment 70, but just to be more specific about the spec:
mixed content is defined here:
https://w3c.github.io/webappsec-mixed-content/#mixed-content
which relies on a priori authenticated URL:
https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url
which itself excludes "Potentially Trustworthy" URLs:
https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
which itself includes the definition here:
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
4. includes loopback IP addresses e.g. 127.0.0.1 or ::1 (mentioned here in bug 171934)
5. includes domain names "localhost" and "*.localhost" (mentioned here but also in bug 160504)
Point 5. is a MAY conditioned by "ensuring that localhost never resolves to a non-loopback address" see https://w3c.github.io/webappsec-secure-contexts/#localhost
Finally DNS resolution of "localhost" and "*.localhost" rely on https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-06#section-3 ; not sure exactly how that applies to WebKit but point 2. requires that applications treat "localhost" and "*.localhost" themselves (without passing by APIs or libraries) while point 3. requires the same for APIs and libraries (without passing by recursive DNS servers).
Firefox and Chromium has treated loopback IP addresses as potentially trustworthy for a while and now also treat "localhost" and "*.localhost" specially (they implemented the special case for the resolution of these domains).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201028/fc0c3efa/attachment-0001.htm>
More information about the webkit-unassigned
mailing list