W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: Definition of secure origin in MIX and POWER

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 8 Jul 2015 17:49:33 +0200
To: Brian Smith <brian@briansmith.org>, Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <559D468D.3020403@gmail.com>
On 2015-07-08 17:42, Brian Smith wrote:
> Francois Marier <francois@mozilla.com <mailto:francois@mozilla.com>> wrote:
>
>     Is there a reason why the mixed content spec doesn't use the same
>     definition of "potentially secure origin" as the powerful features spec?
>
>     In particular, "http://localhost" is potentially secure in POWER but not
>     in MIX.
>
>
> In some operating systems, it is possible to have localhost resolve to something other than ::1 or 127.0.0.1. In a reasonably-configured system, that wouldn't happen, but it makes me uncomfortable about treating HTTP://localhost specially.
>
> Personally, I am often running servers locally for testing things
 > and rarely are any of those servers "secure" in any sense.

OK.

 > And I definitely wouldn't want any external website https://example.com/
 > to be able to load anything from any of my local servers in an
 > iframe or otherwise, whether it be https://localhost or http://localhost on any port.

F.Y.I.

This is the method that most people use today for "Extending the Web".
AFAICT, it includes schemes like the German eID card middleware.

Anders

>
> Consequently, I don't think the definition in MIX should be changed.
>
> Cheers,
> Brian
Received on Wednesday, 8 July 2015 15:50:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC