On Thu, Jan 22, 2015 at 7:56 AM, Brad Hill <hillbrad@gmail.com> wrote: > Ah, good catch! That reminds me: (why I think that is there) there are > some bugs with Chrome + CSP on iOS, because of the constraints that > platform puts on implementers of "new" browsers. Stuff like the safe > browsing service there is done by making hidden calls to locally listening > websockets, but these hidden calls are subject to the page's CSP, so if you > don't whitelist localhost:* or 127.0.0.1:*, https pages end up triggering > a false positive on the malicious site check and get blocked. :( > > "localhost" does seem to work and should be safer. But there are probably > a good number of sites working around this bug with "127.0.0.1:*". > That is a sad story. :( I thought the Chrome on iOS folks were working around those issues by injecting policy modifications in order to enable the local connections. Is this just an issue for folks with old versions of the browser, or is it still an issue in the latest stable? Either way, it seems like something we're stuck with supporting. Skipping IPv6, however, seems pretty viable. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 22 January 2015 07:03:31 UTC