[MIX] Carveout for `127.0.0.1`? from Mike West on 2016-04-29 (public-webappsec@w3.org from April 2016)

From: Mike West <mkwst@google.com>
Date: Fri, 29 Apr 2016 09:43:49 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=efETwFaFo9wH+k9p+HzDuXUBsk38Sm-GEtZUxbQnkLww@mail.gmail.com>

Currently, mixed content checks block `http://127.0.0.1` from loading in a
page delivered over TLS. I'm (belatedly) coming around to the idea that
that restriction does more harm than good. In particular, I'll note that
folks are installing new trusted roots and self-signing certs for that IP
address, exposing themselves to additional risk for minimal benefit.
Helpful locally installed software is doing the same, with even more
associated risk.

I'd like to change MIX to use the Secure Contexts spec's notion of
"potentially trustworthy" origins as opposed to toggling strictly based on
the URL's protocol. This would be a normative change that would force us
back to CR again. *shrug* Seems like it might be worth doing anyway.

I've filed https://github.com/w3c/webappsec-mixed-content/issues/4 to cover
this, and have a PR up at
https://github.com/w3c/webappsec-mixed-content/pull/5 for discussion.

WDYT?

-mike

Received on Friday, 29 April 2016 07:44:39 UTC