Re: Definition of secure origin in MIX and POWER from Devdatta Akhawe on 2015-07-08 (public-webappsec@w3.org from July 2015)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 8 Jul 2015 11:57:09 -0700
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_30nktRZyaY6vtoW_tJCW+fSg8gRDDGOr6Pow1m=GzgLw@mail.gmail.com>

On 8 July 2015 at 09:25, Mike West <mkwst@google.com> wrote:

> Note that whether `localhost` or `127.0.0.1` or any other RFC1918 URL is
> blocked by MIX is a separate question from whether or not they should be
> blocked, period (I think they should, modulo some sort of authentication
> ceremony that would allow embedding). I still think this group should
> tackle that question, and I'm still a bit sad that we dropped that
> discussion from this iteration of MIX.
>
>
Exactly. My understanding was that, in the context of MIX where the threat
model is  "network attacker" only, we had agreed that 127.0.0.1 is secure.
If we want to tackle the question of whether or not to allow that, that
should be a separate spec.

This doesn't mean it is actually secure, as Brian notes, but there are many
sites with valid SSL certificates that are not secure. MIX really shouldn't
get into all that.


-dev

Received on Wednesday, 8 July 2015 18:57:56 UTC