RE: Restrict loopback address to Secure Contexts?

Could you clarify? What is your actual question?

My views of an ideal world:

·         Browsers only allow loopback connection after a CORS Preflight

·         Browsers vet that “loopback” and “localhost” actually are local and not an alias

·         Post vetting, browsers treat loopback as a secure connection, specifically for this reason that breaks Devdatta’s scenario among many others

Should native extensions or native messaging also be allowed?

·         I think “no”. Caveat: I have changed my mind, several times, just this year.

·         I don’t own our extensions model, so what I think is just an opinion.

From: wilander@apple.com [mailto:wilander@apple.com]
Sent: Monday, September 26, 2016 11:43 AM
To: public-webappsec@w3.org
Subject: Restrict loopback address to Secure Contexts?

Hi WebAppSec!

There’s an ongoing discussion on whether browsers should treat localhost as a secure context<https://github.com/w3c/webappsec-secure-contexts/issues/43>. Devdatta brought up web sockets specifically<https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0135.html> in March last year. We would like to discuss restriction of the loopback address to same-origin or Secure Contexts. Maybe open up so that a loopback address could connect to any loopback address but that might open up for race conditions.

Safari treats localhost connections as mixed content and blocks if the content is active. There is a growing number of local companion apps that web pages or browser extensions talk to. I believe the most common setup are local web sockets. We tell developers that Safari’s native extensions<https://developer.apple.com/safari/extensions/> are the secure way to go but there are existing companion apps and sometimes a desire for a one-size-fits-all solution for all browsers.

The network attacker scenario doesn’t make sense for local connections so mixed content blocking is not really appropriate. On the flip side, allowing access to local web servers from non-secure contexts seems really bad. Yes, the server is supposed to check the Origin header but a network attacker can solve that unless the origin the server is checking for is under HSTS.

What do you think? I know there’s been a lot of discussion on restriction of localhost.

   Regards, John

Received on Monday, 26 September 2016 19:59:38 UTC