W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: [MIX] localhost should not be trusted

From: Mike West <mkwst@google.com>
Date: Thu, 5 Jun 2014 13:53:51 +0200
Message-ID: <CAKXHy=dYPTj-9YRyzYq6RKDg=CRCdzDsvmBDSQk7WRJOMY_fxA@mail.gmail.com>
To: Zack Weinberg <zackw@cmu.edu>, Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I agree, this was a mistake. The intent was to outline a set of origins
that should be considered 'secure' in general, with the thought in the back
of my head that web-facing access to these origins would be limited in
other ways. The text ended up muddled and confusing, however, and failed
completely to make the point I wanted.

I've responded to a similar point Brian Smith made in
http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0052.html, and
I expect to have an updated draft soonish that clarifies the intent around
non-public origins.

Thanks, Zach!

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Wed, Jun 4, 2014 at 11:36 PM, Zack Weinberg <zackw@cmu.edu> wrote:

> The current editor's draft of the Mixed Content spec (
> https://w3c.github.io/webappsec/specs/mixedcontent/#assumed-secure-origin
> ) defines "assumed secure origin" to include data fetched from
> 'localhost' and its various aliases (e.g. 127.0.0.1 and ::1) as well
> as the expected scheme-based determiners (https, wss, file).  I'm not
> sure what browsers actually do, but this is abstractly a mistake, for
> two reasons:
>
> 1) A server on localhost is often used as a development environment.
> Therefore, the set of things treated as mixed-content when the page
> origin is https://localhost/ should be the same as the set of things
> treated as mixed-content when the page origin is
> https://global.domain.example/ .  Any difference between the two
> introduces the potential for mixed-content bugs that go unnoticed in
> development but manifest when deployed.
>
> 2) Treating http://localhost/ (and file://) as secure relative to
> https:// enables (or rather, fails to prevent) attacks where a local
> malicious application infiltrates scripts into a secure website.
> (Suppose the Android or iOS security model, so there *is* a security
> boundary preventing it from just diddling the browser directly.)
>
> zw
>
>
>
Received on Thursday, 5 June 2014 11:54:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC