- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 8 Jul 2015 17:49:33 +0200
- To: Brian Smith <brian@briansmith.org>, Francois Marier <francois@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2015-07-08 17:42, Brian Smith wrote: > Francois Marier <francois@mozilla.com <mailto:francois@mozilla.com>> wrote: > > Is there a reason why the mixed content spec doesn't use the same > definition of "potentially secure origin" as the powerful features spec? > > In particular, "http://localhost" is potentially secure in POWER but not > in MIX. > > > In some operating systems, it is possible to have localhost resolve to something other than ::1 or 127.0.0.1. In a reasonably-configured system, that wouldn't happen, but it makes me uncomfortable about treating HTTP://localhost specially. > > Personally, I am often running servers locally for testing things > and rarely are any of those servers "secure" in any sense. OK. > And I definitely wouldn't want any external website https://example.com/ > to be able to load anything from any of my local servers in an > iframe or otherwise, whether it be https://localhost or http://localhost on any port. F.Y.I. This is the method that most people use today for "Extending the Web". AFAICT, it includes schemes like the German eID card middleware. Anders > > Consequently, I don't think the definition in MIX should be changed. > > Cheers, > Brian
Received on Wednesday, 8 July 2015 15:50:20 UTC