Re: Definition of secure origin in MIX and POWER

Francois Marier <francois@mozilla.com> wrote:

> Is there a reason why the mixed content spec doesn't use the same
> definition of "potentially secure origin" as the powerful features spec?
>
> In particular, "http://localhost" is potentially secure in POWER but not
> in MIX.
>

In some operating systems, it is possible to have localhost resolve to
something other than ::1 or 127.0.0.1. In a reasonably-configured system,
that wouldn't happen, but it makes me uncomfortable about treating
HTTP://localhost specially.

Personally, I am often running servers locally for testing things and
rarely are any of those servers "secure" in any sense. And I definitely
wouldn't want any external website https://example.com/ to be able to load
anything from any of my local servers in an iframe or otherwise, whether it
be https://localhost or http://localhost on any port.

Consequently, I don't think the definition in MIX should be changed.

Cheers,
Brian

Received on Wednesday, 8 July 2015 15:42:51 UTC