[Webkit-unassigned] [Bug 250776] Content-Security-Policy upgrade-insecure-requests should not be applied to localhost
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 19 03:47:05 PST 2023
https://bugs.webkit.org/show_bug.cgi?id=250776
--- Comment #5 from Jaime <jaime at synergyos.com> ---
Thank you all for your comments and for the links to the other issues.
@Karl: for sure, let me elaborate.
We have a native application (let's call it "Tools") installed on the users' computers (the employees of several companies). The Tools application interacts with the local computer (it can save files, edit files, etc. It is something like Git version control).
Tools acts as a daemon and exposes an API in localhost, which can be called from custom webapps from those customers (so all those different webapps from different domains can call the same Tools daemon).
One solution (from the other linked issues) is to enable Private Network Access to allow secure contexts (the webapps over https) to access private networks after a CORS preflight and in that case treat localhost as a secure context and enable http communication.
For now, we have had to force all Mac users to use Chrome, Edge, or Firefox :(. It is a pity that they cannot use Safari, hopefully this proposal can make it work.
Thank you very much!
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230119/52904a10/attachment.htm>
More information about the webkit-unassigned
mailing list