W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: Definition of secure origin in MIX and POWER

From: Mike West <mkwst@google.com>
Date: Wed, 8 Jul 2015 18:25:53 +0200
Message-ID: <CAKXHy=fDCuM5xDv+7VzHQPciYiKxrk3A=mu9jn0xBcXtE1-39g@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Note that whether `localhost` or `127.0.0.1` or any other RFC1918 URL is
blocked by MIX is a separate question from whether or not they should be
blocked, period (I think they should, modulo some sort of authentication
ceremony that would allow embedding). I still think this group should
tackle that question, and I'm still a bit sad that we dropped that
discussion from this iteration of MIX.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Jul 8, 2015 at 5:42 PM, Brian Smith <brian@briansmith.org> wrote:

> Francois Marier <francois@mozilla.com> wrote:
>
>> Is there a reason why the mixed content spec doesn't use the same
>> definition of "potentially secure origin" as the powerful features spec?
>>
>> In particular, "http://localhost" is potentially secure in POWER but not
>> in MIX.
>>
>
> In some operating systems, it is possible to have localhost resolve to
> something other than ::1 or 127.0.0.1. In a reasonably-configured system,
> that wouldn't happen, but it makes me uncomfortable about treating
> HTTP://localhost specially.
>
> Personally, I am often running servers locally for testing things and
> rarely are any of those servers "secure" in any sense. And I definitely
> wouldn't want any external website https://example.com/ to be able to
> load anything from any of my local servers in an iframe or otherwise,
> whether it be https://localhost or http://localhost on any port.
>
> Consequently, I don't think the definition in MIX should be changed.
>
> Cheers,
> Brian
>
Received on Wednesday, 8 July 2015 16:26:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC