Re: Restrict loopback address to Secure Contexts? from Mike West on 2016-09-27 (public-webappsec@w3.org from September 2016)

From: Mike West <mkwst@google.com>
Date: Tue, 27 Sep 2016 10:41:03 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Crispin Cowan <crispin@microsoft.com>, "wilander@apple.com" <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=cEhYYNLObZh70OVOowy+7rRrcVgXWXhC4Hgdxxm9BMAg@mail.gmail.com>

On Tue, Sep 27, 2016 at 10:38 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Tue, Sep 27, 2016 at 10:31 AM, Mike West <mkwst@google.com> wrote:
> > I'd argue that talking to loopback is _not_ secure, and that's why we
> ought
> > to (at least) restrict it to secure contexts. It's bad enough that
> > `https://totally-authenticated-endpoint.com` can attack your antivirus
> > software when you explicitly visit that site. It's significantly worse if
> > your coffee shop can do the same when you visit any plaintext site.
>
> They could still redirect you to an endpoint under their control so
> I'm not really sure you're doing much there if anything. At least with
> HTTP at some point browsers will indicate that unsafe things are
> happening (and HTTP will go away at some point).
>

With the caveat that top-level navigation is somewhat more noticeable than
injecting an iframe or image, yes. Which is why the preflight work is still
necessary, and why HTTP is, in general, sadness.

-mike

Received on Tuesday, 27 September 2016 08:41:54 UTC