W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

[MIX] localhost should not be trusted

From: Zack Weinberg <zackw@cmu.edu>
Date: Wed, 4 Jun 2014 17:36:27 -0400
Message-ID: <CAKCAbMjjdqB3NK54f+X3agXPh7PXitiB97nVJiVfyoGTCXsMzA@mail.gmail.com>
To: public-webappsec@w3.org
The current editor's draft of the Mixed Content spec (
https://w3c.github.io/webappsec/specs/mixedcontent/#assumed-secure-origin
) defines "assumed secure origin" to include data fetched from
'localhost' and its various aliases (e.g. 127.0.0.1 and ::1) as well
as the expected scheme-based determiners (https, wss, file).  I'm not
sure what browsers actually do, but this is abstractly a mistake, for
two reasons:

1) A server on localhost is often used as a development environment.
Therefore, the set of things treated as mixed-content when the page
origin is https://localhost/ should be the same as the set of things
treated as mixed-content when the page origin is
https://global.domain.example/ .  Any difference between the two
introduces the potential for mixed-content bugs that go unnoticed in
development but manifest when deployed.

2) Treating http://localhost/ (and file://) as secure relative to
https:// enables (or rather, fails to prevent) attacks where a local
malicious application infiltrates scripts into a secure website.
(Suppose the Android or iOS security model, so there *is* a security
boundary preventing it from just diddling the browser directly.)

zw
Received on Thursday, 5 June 2014 11:17:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC