- From: Zack Weinberg <zackw@cmu.edu>
- Date: Wed, 4 Jun 2014 17:36:27 -0400
- To: public-webappsec@w3.org
The current editor's draft of the Mixed Content spec ( https://w3c.github.io/webappsec/specs/mixedcontent/#assumed-secure-origin ) defines "assumed secure origin" to include data fetched from 'localhost' and its various aliases (e.g. 127.0.0.1 and ::1) as well as the expected scheme-based determiners (https, wss, file). I'm not sure what browsers actually do, but this is abstractly a mistake, for two reasons: 1) A server on localhost is often used as a development environment. Therefore, the set of things treated as mixed-content when the page origin is https://localhost/ should be the same as the set of things treated as mixed-content when the page origin is https://global.domain.example/ . Any difference between the two introduces the potential for mixed-content bugs that go unnoticed in development but manifest when deployed. 2) Treating http://localhost/ (and file://) as secure relative to https:// enables (or rather, fails to prevent) attacks where a local malicious application infiltrates scripts into a secure website. (Suppose the Android or iOS security model, so there *is* a security boundary preventing it from just diddling the browser directly.) zw
Received on Thursday, 5 June 2014 11:17:22 UTC