Re: [MIX] Carveout for `127.0.0.1`? from Mike West on 2016-05-03 (public-webappsec@w3.org from May 2016)

From: Mike West <mkwst@google.com>
Date: Tue, 3 May 2016 12:18:23 +0200
To: Axel Nennker <Axel.Nennker@telekom.de>
Cc: Richard Barnes <rbarnes@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "Eduardo' Vela <Nava>" <evn@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=d4JV_sENqUi4k78xexo=-D0aOY4JCNZWaLgKLfGY9LYQ@mail.gmail.com>

On Tue, May 3, 2016 at 12:09 PM, <Axel.Nennker@telekom.de> wrote:

> We used things like file:/// and http://localhost/ in the past but never
> built a product using it because the behavior changed even from browser
> version to browser version.
>
1. I don't think folks should use `file:` for anything.
2. `localhost` is a bit of a problem, actually. I'll start another thread
for that.
3. `127.0.0.1` is pretty safe.

> So if MIX gets me a standard way of communication with an app or local
> server then I want this.
>
Well, this, of course, is what I'm worried about. I don't actually want to
create such a standard, except insofar as it's more restrictive than the
status quo. My suggestion here is only that MIX is the wrong place to
create such a policy.

The approach I'm prototyping in Chrome today is
https://mikewest.github.io/cors-rfc1918/, which seems like a reasonable
middle ground, especially in possible combination with explicit user
mediation.

-mike

Received on Tuesday, 3 May 2016 10:19:11 UTC