[Webkit-unassigned] [Bug 171934] Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 30 03:01:06 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=171934
--- Comment #80 from Frédéric Wang (:fredw) <fred.wang at free.fr> ---
So I think we are more or less on the same page about the importance of this.
My proposal is to start with a simple approach:
* Introduce two TrustworthyLoopbackIPAddresses and TrustworthyLocalhostAddresses preferences that can be disabled for the sake of mixed content tests or if we can't guarantee the used APIs don't map localhost adresses to loopback.
* The TrustworthyLoopbackIPAddresses pref would do comment 46 i.e. point 4 of https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
* The TrustworthyLocalhostAddresses pref would do point 5 of https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
TrustworthyLoopbackIPAddresses would be enabled on all ports by default. For TrustworthyLocalhostAddresses, we can start as disabled by default and later conditionally enabled depending on the WebKit port or APIs.
Note that this won't be following point 2. of https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-06#section-3 since we would delegating the resolution to the APIs, but I'm not sure there is an easy alternative for now, IIUC what Michael and Maciej said.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201030/f0253c62/attachment-0001.htm>
More information about the webkit-unassigned
mailing list