[Webkit-unassigned] [Bug 250776] Content-Security-Policy upgrade-insecure-requests should not be applied to localhost

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 18 16:54:33 PST 2023


https://bugs.webkit.org/show_bug.cgi?id=250776

--- Comment #3 from Matthew Finkel <sysrqb at apple.com> ---
Conceptually, this is a reasonable request because no one can receive a valid TLS certificate for localhost from a public CA. But, I agree with Brent that this is not a straight-forward bug. The "Upgrade Insecure Requests" specification does not explicitly give localhost an exception when deciding if the request should be upgraded. Instead, it only upgrades requests that are "a priori insecure" [0]. Chrome and Firefox handle localhost as a priori secure, but at this time WebKit handles it as insecure. There have been discussions around changing this (e.g., Bug 171934, Bug 218980), but they are currently open.

[0] https://www.w3.org/TR/upgrade-insecure-requests/#should-upgrade-for-client

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230119/d28522d1/attachment.htm>


More information about the webkit-unassigned mailing list