- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 8 Jul 2015 11:42:23 -0400
- To: Francois Marier <francois@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Wednesday, 8 July 2015 15:42:51 UTC
Francois Marier <francois@mozilla.com> wrote: > Is there a reason why the mixed content spec doesn't use the same > definition of "potentially secure origin" as the powerful features spec? > > In particular, "http://localhost" is potentially secure in POWER but not > in MIX. > In some operating systems, it is possible to have localhost resolve to something other than ::1 or 127.0.0.1. In a reasonably-configured system, that wouldn't happen, but it makes me uncomfortable about treating HTTP://localhost specially. Personally, I am often running servers locally for testing things and rarely are any of those servers "secure" in any sense. And I definitely wouldn't want any external website https://example.com/ to be able to load anything from any of my local servers in an iframe or otherwise, whether it be https://localhost or http://localhost on any port. Consequently, I don't think the definition in MIX should be changed. Cheers, Brian
Received on Wednesday, 8 July 2015 15:42:51 UTC