Re: Definition of secure origin in MIX and POWER

Note that whether `localhost` or `127.0.0.1` or any other RFC1918 URL is
blocked by MIX is a separate question from whether or not they should be
blocked, period (I think they should, modulo some sort of authentication
ceremony that would allow embedding). I still think this group should
tackle that question, and I'm still a bit sad that we dropped that
discussion from this iteration of MIX.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Jul 8, 2015 at 5:42 PM, Brian Smith <brian@briansmith.org> wrote:

> Francois Marier <francois@mozilla.com> wrote:
>
>> Is there a reason why the mixed content spec doesn't use the same
>> definition of "potentially secure origin" as the powerful features spec?
>>
>> In particular, "http://localhost" is potentially secure in POWER but not
>> in MIX.
>>
>
> In some operating systems, it is possible to have localhost resolve to
> something other than ::1 or 127.0.0.1. In a reasonably-configured system,
> that wouldn't happen, but it makes me uncomfortable about treating
> HTTP://localhost specially.
>
> Personally, I am often running servers locally for testing things and
> rarely are any of those servers "secure" in any sense. And I definitely
> wouldn't want any external website https://example.com/ to be able to
> load anything from any of my local servers in an iframe or otherwise,
> whether it be https://localhost or http://localhost on any port.
>
> Consequently, I don't think the definition in MIX should be changed.
>
> Cheers,
> Brian
>