W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2016

Re: Restrict loopback address to Secure Contexts?

From: Mike West <mkwst@google.com>
Date: Wed, 19 Oct 2016 19:07:21 +0200
Message-ID: <CAKXHy=eS3Lh_4i1U--BhuvV=70k6kjjAKx+SNEy+Hk+JKdm8bg@mail.gmail.com>
To: "wilander@apple.com" <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Crispin Cowan <crispin@microsoft.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Anne van Kesteren <annevk@annevk.nl>
This thread got pulled off in a slightly different direction than John
started in.

I'm still interested in deprecating access to loopback resources from
non-secure contexts. I plan to add some metrics to Chrome to see how much
of the ~1% of "private IP resource in public IP page" page views
(!!!) that Chrome users report would fall into this bucket so that we can
start to judge the impact.

If the numbers aren't too terrifying, we'd likely send an "Intent to
Deprecate" to blink-dev@ to get approval from the Blink community.

On today's call, John suggested that this might also be reasonably added to
the CORS-RFC1918 draft <https://wicg.github.io/cors-rfc1918/>: as it turns
out, it's already there (search for "secure context" in
https://wicg.github.io/cors-rfc1918/#integration-fetch). :)


On Wed, Sep 28, 2016 at 10:17 AM, Anne van Kesteren <annevk@annevk.nl>

> On Wed, Sep 28, 2016 at 12:18 AM, Crispin Cowan <crispin@microsoft.com>
> wrote:
> > On the perfect being the enemy of the good: you are quite right, I am
> > describing an idealized world. I thought that’s what Standards are for,
> and
> > we then work towards them? Conversely, it seems like it would be bad to
> > standardize on “good enough for now” and then need to change it.
> We standardize what ships or we estimate we can ship within a short
> amount of time. It's not at all that aspirational as you make it out
> to be. E.g., in some idealized world I might have wished there would
> be no need to have written https://encoding.spec.whatwg.org/ but the
> fact is that there's more than UTF-8 in use. Ignoring that leads to
> issues for users and is also anti-competitive to some extent as it
> hinders new browsers from entering the market.
> > Edge can’t do an effective job of CORS Preflight right now due to
> > architectural issues which we hope to address in the future. Meanwhile we
> > keep Edge users safe from loopback attack with a different mitigation
> that
> > is not worthy of floating as a standard.
> Why not? If it works and is deployed today...
> > What is “happy eyeballs”?
> https://en.wikipedia.org/wiki/Happy_Eyeballs
> --
> https://annevankesteren.nl/
Received on Wednesday, 19 October 2016 17:08:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:58 UTC