W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: Definition of secure origin in MIX and POWER

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 8 Jul 2015 17:49:33 +0200
To: Brian Smith <brian@briansmith.org>, Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <559D468D.3020403@gmail.com>
On 2015-07-08 17:42, Brian Smith wrote:
> Francois Marier <francois@mozilla.com <mailto:francois@mozilla.com>> wrote:
>     Is there a reason why the mixed content spec doesn't use the same
>     definition of "potentially secure origin" as the powerful features spec?
>     In particular, "http://localhost" is potentially secure in POWER but not
>     in MIX.
> In some operating systems, it is possible to have localhost resolve to something other than ::1 or In a reasonably-configured system, that wouldn't happen, but it makes me uncomfortable about treating HTTP://localhost specially.
> Personally, I am often running servers locally for testing things
 > and rarely are any of those servers "secure" in any sense.


 > And I definitely wouldn't want any external website https://example.com/
 > to be able to load anything from any of my local servers in an
 > iframe or otherwise, whether it be https://localhost or http://localhost on any port.


This is the method that most people use today for "Extending the Web".
AFAICT, it includes schemes like the German eID card middleware.


> Consequently, I don't think the definition in MIX should be changed.
> Cheers,
> Brian
Received on Wednesday, 8 July 2015 15:50:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC