- From: Randall Leeds <randall.leeds@gmail.com>
- Date: Tue, 17 Mar 2015 15:33:03 +0000
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: Web Payments CG <public-webpayments@w3.org>
- Message-ID: <CAAL6JQhXCJtNo85Y+TUjs+MCi3R1f==BH5SKFKbu=TqfEd-UcA@mail.gmail.com>
Thanks. I understand the issue better now. On Tue, Mar 17, 2015, 11:07 Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > On 2015-03-17 15:57, Randall Leeds wrote: > > I'm not sure I agree. The discussion seems to talk about user-initiated > actions in a way > > that makes me think that clicking a link or button or otherwise taking > some action > > that causes a subresource to be loaded from localhost is fine. What is > not fine is unsolicited attempts to access the local network. > > > > Are you sure this presents a problem for you? > > There's obviously something wrong when services like DropBox must issue > server-certificates > (mixing http/https is being outlawed) pointing to 127.0.0.1: > https://code.google.com/p/chromium/issues/detail?id=378566#c29 > > The security folks may have gotten what they wanted, the market certainly > did not. > > There are no agreements between the browser-vendors on these topics either. > > Anders > > > > > On Tue, Mar 17, 2015 at 7:53 AM Melvin Carvalho < > melvincarvalho@gmail.com <mailto:melvincarvalho@gmail.com>> wrote: > > > > On 17 March 2015 at 15:48, Anders Rundgren < > anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> > wrote: > > > > On 2015-03-17 15:14, Randall Leeds wrote: > > > > What's this got to do with payments? What do DropBox and > Spotify depend on that's relevant here? > > > > > > DropBox and Spotify depend on browser bypass schemes using > localhost. > > > > Payments may do that as well as David Nicol writes here: > > https://lists.w3.org/Archives/__Public/public-webpayments/__ > 2014Oct/0194.html <https://lists.w3.org/Archives/Public/public- > webpayments/2014Oct/0194.html> > > > > GitHub use another browser bypass scheme: > > github-windows://openRepo/http__s://github.com/ > cyberphone/__webpkisuite-4-android <https://github.com/ > cyberphone/webpkisuite-4-android> > > > > > > Yes, I also use localhost for payments from the browser. > > > > Added my +1 to the call for WONTFIX on this issue. > > > > I locking down the browser in this way will hinder a lot of > legitimate use cases, and provide minimal incremental security. > > > > > > Anders > > > > > > On Tue, Mar 17, 2015 at 12:10 AM Anders Rundgren < > anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> > <mailto:anders.rundgren.net@__gmail.com <mailto:anders.rundgren.net@ > gmail.com>>> wrote: > > > > https://code.google.com/p/____chromium/issues/detail?id=____ > 378566 <https://code.google.com/p/__chromium/issues/detail?id=__378566> < > https://code.google.com/p/__chromium/issues/detail?id=__378566 < > https://code.google.com/p/chromium/issues/detail?id=378566>> > > > > Since popular services like DropBox and Spotify depend > on this non-standardized > > way of bypassing the browser, I think this strengthens > my argument that we really > > need a standard way to do this. > > > > The time for that is now. > > > > Anders > > > > > > > >
Received on Tuesday, 17 March 2015 15:33:31 UTC