W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: Restrict loopback address to Secure Contexts?

From: Mike West <mkwst@google.com>
Date: Tue, 27 Sep 2016 10:31:03 +0200
Message-ID: <CAKXHy=ccQOPNc1w410JWZvjATLEjZA_QdujkNC78D3KP7dtv3g@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Crispin Cowan <crispin@microsoft.com>, "wilander@apple.com" <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Sep 27, 2016 at 9:44 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Sep 27, 2016 at 6:37 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
> > My 2c: it is just plain weird to allow a seemingly powerful feature
> > like connecting to localhost from http sites (insecure contexts) but
> > block it from https sites (secure contexts). So, I am all for allowing
> > that.
> That really depends on whether it is secure or not, no? If we want to
> establish trust in HTTPS and distrust in HTTP, copying insecure
> features from HTTP to HTTPS would be a bad move.

I'd argue that talking to loopback is _not_ secure, and that's why we ought
to (at least) restrict it to secure contexts. It's bad enough that `
https://totally-authenticated-endpoint.com` can attack your antivirus
software when you explicitly visit that site. It's significantly worse if
your coffee shop can do the same when you visit any plaintext site.

Received on Tuesday, 27 September 2016 08:31:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC