W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: Restrict loopback address to Secure Contexts?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 27 Sep 2016 09:44:16 +0200
Message-ID: <CADnb78h7SL+MVrNnJ2Vi8YT0CyERC-O6kMB==cZn2UXDjrd+QQ@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Crispin Cowan <crispin@microsoft.com>, "wilander@apple.com" <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Sep 27, 2016 at 6:37 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> My 2c: it is just plain weird to allow a seemingly powerful feature
> like connecting to localhost from http sites (insecure contexts) but
> block it from https sites (secure contexts). So, I am all for allowing
> that.

That really depends on whether it is secure or not, no? If we want to
establish trust in HTTPS and distrust in HTTP, copying insecure
features from HTTP to HTTPS would be a bad move.

Received on Tuesday, 27 September 2016 07:44:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC