Re: [MIX] Carveout for `127.0.0.1`? from Eduardo' Vela\ on 2016-04-29 (public-webappsec@w3.org from April 2016)

From: Eduardo' Vela\ <evn@google.com>
Date: Fri, 29 Apr 2016 08:27:35 +0000
To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFswPa_RyQqTEz2=DEnntkd9y_05yFws10fSjxg0A=EbnV4oRw@mail.gmail.com>

Yes please!

On Fri, Apr 29, 2016, 09:46 Mike West <mkwst@google.com> wrote:

> Currently, mixed content checks block `http://127.0.0.1` from loading in
> a page delivered over TLS. I'm (belatedly) coming around to the idea that
> that restriction does more harm than good. In particular, I'll note that
> folks are installing new trusted roots and self-signing certs for that IP
> address, exposing themselves to additional risk for minimal benefit.
> Helpful locally installed software is doing the same, with even more
> associated risk.
>
> I'd like to change MIX to use the Secure Contexts spec's notion of
> "potentially trustworthy" origins as opposed to toggling strictly based on
> the URL's protocol. This would be a normative change that would force us
> back to CR again. *shrug* Seems like it might be worth doing anyway.
>
> I've filed https://github.com/w3c/webappsec-mixed-content/issues/4 to
> cover this, and have a PR up at
> https://github.com/w3c/webappsec-mixed-content/pull/5 for discussion.
>
> WDYT?
>
> -mike
>

Received on Friday, 29 April 2016 08:28:14 UTC