W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: Definition of secure origin in MIX and POWER

From: Brian Smith <brian@briansmith.org>
Date: Wed, 8 Jul 2015 11:42:23 -0400
Message-ID: <CAFewVt6xACiDXhYgxQ++NdxB_iJ4hqu-y33UruYaKMvu1LPjHw@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Francois Marier <francois@mozilla.com> wrote:

> Is there a reason why the mixed content spec doesn't use the same
> definition of "potentially secure origin" as the powerful features spec?
>
> In particular, "http://localhost" is potentially secure in POWER but not
> in MIX.
>

In some operating systems, it is possible to have localhost resolve to
something other than ::1 or 127.0.0.1. In a reasonably-configured system,
that wouldn't happen, but it makes me uncomfortable about treating
HTTP://localhost specially.

Personally, I am often running servers locally for testing things and
rarely are any of those servers "secure" in any sense. And I definitely
wouldn't want any external website https://example.com/ to be able to load
anything from any of my local servers in an iframe or otherwise, whether it
be https://localhost or http://localhost on any port.

Consequently, I don't think the definition in MIX should be changed.

Cheers,
Brian
Received on Wednesday, 8 July 2015 15:42:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC