W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2016

Re: [MIX] Carveout for `127.0.0.1`?

From: Richard Barnes <rbarnes@mozilla.com>
Date: Fri, 29 Apr 2016 10:37:07 -0400
Message-ID: <3052579302924175237@unknownmsgid>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Mike West <mkwst@google.com>, "Eduardo' Vela" <evn@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I support using the definitions from Secure Contexts.  I do not support
special casing for MIX.

Sent from my iPhone.  Please excuse brevity.

On Apr 29, 2016, at 10:35, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

Yes, please. And I support it because I think it is a good idea :)
On Apr 29, 2016 1:45 AM, "Mike West" <mkwst@google.com> wrote:

> On Fri, Apr 29, 2016 at 10:27 AM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
>
>> Yes please!
>>
> I'm not sure if you're supportive because it's a good idea, or because it
> will let you break more things. :)
>
>
>> On Fri, Apr 29, 2016, 09:46 Mike West <mkwst@google.com> wrote:
>>
>>> Currently, mixed content checks block `http://127.0.0.1` from loading
>>> in a page delivered over TLS. I'm (belatedly) coming around to the idea
>>> that that restriction does more harm than good. In particular, I'll note
>>> that folks are installing new trusted roots and self-signing certs for that
>>> IP address, exposing themselves to additional risk for minimal benefit.
>>> Helpful locally installed software is doing the same, with even more
>>> associated risk.
>>>
>>> I'd like to change MIX to use the Secure Contexts spec's notion of
>>> "potentially trustworthy" origins as opposed to toggling strictly based on
>>> the URL's protocol. This would be a normative change that would force us
>>> back to CR again. *shrug* Seems like it might be worth doing anyway.
>>>
>>> I've filed https://github.com/w3c/webappsec-mixed-content/issues/4 to
>>> cover this, and have a PR up at
>>> https://github.com/w3c/webappsec-mixed-content/pull/5 for discussion.
>>>
>>> WDYT?
>>>
>>
> Note also that I'm thinking about this in the context of
> https://mikewest.github.io/cors-rfc1918/, which aims to create more
> restrictions on Internet -> Intranet -> Local traffic that are probably
> more reasonable. That's going to be tough to ship, but I'm aiming to have a
> prototype for discussion at our May F2F.
>
> -mike
>
Received on Friday, 29 April 2016 14:37:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC