[Webkit-unassigned] [Bug 171934] Don't treat loopback addresses (127.0.0.0/8, ::1/128, localhost, .localhost) as mixed content

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=171934

hecker <slzfgs+1gpdcqish2o18 at sharklasers.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |slzfgs+1gpdcqish2o18 at sharkl
                   |                            |asers.com

--- Comment #104 from hecker <slzfgs+1gpdcqish2o18 at sharklasers.com> ---
Brave Browser added this bug as a feature: https://brave.com/privacy-updates/27-localhost-permission/

> As mentioned, most other browsers do not significantly prevent websites from accessing localhost resources. The desktop versions of Firefox and Chrome allow both secure and insecure public sites to access localhost resources, and seem to intend to allow public secure sites to access localhost resources indefinitely.
> As a side-effect of security restrictions, Safari currently blocks requests to localhost resources (as do other WebKit browsers) from secure public websites. But to the best of our understanding, Safari does not explicitly intend to block these requests from public websites.
> As far as we can tell, Brave is the only browser that will block requests to localhost resources from both secure and insecure public sites, while still maintaining a compatibility path for sites that users trust (in the form of the discussed localhost permission).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230630/086b5aa7/attachment.htm>