- From: Jeffrey Walton <noloader@gmail.com>
- Date: Thu, 9 Jul 2015 04:36:16 -0400
- To: Brian Smith <brian@briansmith.org>
- Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 8, 2015 at 11:42 AM, Brian Smith <brian@briansmith.org> wrote: > Francois Marier <francois@mozilla.com> wrote: >> >> Is there a reason why the mixed content spec doesn't use the same >> definition of "potentially secure origin" as the powerful features spec? >> >> In particular, "http://localhost" is potentially secure in POWER but not >> in MIX. > > In some operating systems, it is possible to have localhost resolve to > something other than ::1 or 127.0.0.1. In a reasonably-configured system, > that wouldn't happen, but it makes me uncomfortable about treating > HTTP://localhost specially. What is the threat? Unauthorized code execution? If so, you have the remediation. CSP won't allow it. One of the good things about revenue based models: if something costs someone money, they are more inclined to tend to it. As soon as the ads stop working, the web will adjust itself to restore profitability. Those CSP hashes will begin to show up everywhere. Jeff
Received on Thursday, 9 July 2015 08:36:43 UTC