[Webkit-unassigned] [Bug 250776] Content-Security-Policy upgrade-insecure-requests should not be applied to localhost
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jan 18 13:23:53 PST 2023
https://bugs.webkit.org/show_bug.cgi?id=250776
--- Comment #2 from Brent Fulgham <bfulgham at webkit.org> ---
We'll have to think about this in the context of Local Network Access.
Part of this is related to our choice to not treat localhost as definitively trustworthy on secure sites. Once more rigorous protections are in place so users can understand when a site on the internet reaches out to local services it may make sense to relax things here.
I guess the use case here is a site that sends the UIR header, but doesn't want localhost to be upgraded. I understand this is convenient for web app authors, but it doesn't especially make sense from the standpoint of the UIR header's use.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230118/39258318/attachment.htm>
More information about the webkit-unassigned
mailing list