[Webkit-unassigned] [Bug 250776] New: Content-Security-Policy upgrade-insecure-requests should not be applied to localhost

Wed Jan 18 11:31:54 PST 2023

https://bugs.webkit.org/show_bug.cgi?id=250776

            Bug ID: 250776
           Summary: Content-Security-Policy upgrade-insecure-requests
                    should not be applied to localhost
           Product: WebKit
           Version: Safari 16
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jaime at synergyos.com

Hello, I'm filing this under DOM but not sure if it is the right place. Please updated as needed :)

Safari tries to upgrade to https in localhost. Content-Security-Policy upgrade-insecure-requests should not be applied to localhost. Chrome and Firefox both do NOT upgrade insecure requests to trustworthy localhost.

Specific example: A webapp served over https tries to call a locally installed daemon which exposes an endpoint in localhost. Since Safari tries to upgrade the call to localhost, we cannot communicate with the daemon.

Please see some links for more context:
https://bugzilla.mozilla.org/show_bug.cgi?id=1447784
https://github.com/github/secure_headers/issues/348

Thank you!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230118/1ab2ebd5/attachment-0001.htm>