Re: Restrict loopback address to Secure Contexts? from Mike West on 2016-09-27 (public-webappsec@w3.org from September 2016)

From: Mike West <mkwst@google.com>
Date: Tue, 27 Sep 2016 10:31:03 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Crispin Cowan <crispin@microsoft.com>, "wilander@apple.com" <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=ccQOPNc1w410JWZvjATLEjZA_QdujkNC78D3KP7dtv3g@mail.gmail.com>

On Tue, Sep 27, 2016 at 9:44 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Sep 27, 2016 at 6:37 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
> > My 2c: it is just plain weird to allow a seemingly powerful feature
> > like connecting to localhost from http sites (insecure contexts) but
> > block it from https sites (secure contexts). So, I am all for allowing
> > that.
>
> That really depends on whether it is secure or not, no? If we want to
> establish trust in HTTPS and distrust in HTTP, copying insecure
> features from HTTP to HTTPS would be a bad move.

I'd argue that talking to loopback is _not_ secure, and that's why we ought
to (at least) restrict it to secure contexts. It's bad enough that `
https://totally-authenticated-endpoint.com` can attack your antivirus
software when you explicitly visit that site. It's significantly worse if
your coffee shop can do the same when you visit any plaintext site.

-mike

Received on Tuesday, 27 September 2016 08:31:56 UTC