W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2016

[MIX] Carveout for `127.0.0.1`?

From: Mike West <mkwst@google.com>
Date: Fri, 29 Apr 2016 09:43:49 +0200
Message-ID: <CAKXHy=efETwFaFo9wH+k9p+HzDuXUBsk38Sm-GEtZUxbQnkLww@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Currently, mixed content checks block `http://127.0.0.1` from loading in a
page delivered over TLS. I'm (belatedly) coming around to the idea that
that restriction does more harm than good. In particular, I'll note that
folks are installing new trusted roots and self-signing certs for that IP
address, exposing themselves to additional risk for minimal benefit.
Helpful locally installed software is doing the same, with even more
associated risk.

I'd like to change MIX to use the Secure Contexts spec's notion of
"potentially trustworthy" origins as opposed to toggling strictly based on
the URL's protocol. This would be a normative change that would force us
back to CR again. *shrug* Seems like it might be worth doing anyway.

I've filed https://github.com/w3c/webappsec-mixed-content/issues/4 to cover
this, and have a PR up at
https://github.com/w3c/webappsec-mixed-content/pull/5 for discussion.

WDYT?

-mike
Received on Friday, 29 April 2016 07:44:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC