[Webkit-unassigned] [Bug 281149] New: WebKit is inconsistent about whether localhost is a secure origin or not

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 9 10:06:31 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=281149

            Bug ID: 281149
           Summary: WebKit is inconsistent about whether localhost is a
                    secure origin or not
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: gsnedders at apple.com
                CC: annevk at annevk.nl, beidson at apple.com,
                    m_finkel at apple.com,
                    webkit-bug-importer at group.apple.com,
                    wilander at apple.com

We have a number of open bugs about localhost and whether or not it is secure: bug 171934 (Don't treat loopback addresses (127.0.0.0/8, ::1/128, localhost, .localhost) as mixed content), bug 218980 (Treat loopback addresses (127.0.0.0/8, ::1/128, localhost, .localhost) as potentially trustworthy URL), and bug 232088 (Unable to set secure+httpOnly cookie for localhost in Safari from Node JS).

As it stands, window.isSecureOrigin is true, but you can't set secure cookies, and nor load mixed secure content.

For example:

https://github.com/WebKit/WebKit/blob/b50ab39c922f4afcc0b894736c29846f1f50d065/Source/WebCore/page/SecurityOrigin.cpp#L89-L105 makes localhost "potentially trustworthy"

https://github.com/WebKit/WebKit/blob/f5955e181acaa5aacc1c6c573a92697d661d6926/Source/WebCore/loader/MixedContentChecker.cpp#L51-L60 makes localhost insecure (unless loaded over HTTPS)

https://github.com/WebKit/WebKit/blob/f5955e181acaa5aacc1c6c573a92697d661d6926/Source/WebCore/loader/CookieJar.cpp#L62-L65 makes Secure cookies only work with HTTPS.

Regardless of whether we want localhost to be secure or not (which I think is to some extent blocked on bug 250607?), we should at least be consistent as to whether or not it is secure.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241009/2594cc86/attachment-0001.htm>

More information about the webkit-unassigned mailing list