Re: Restrict loopback address to Secure Contexts?

On Tue, Sep 27, 2016 at 10:31 AM, Mike West <mkwst@google.com> wrote:
> I'd argue that talking to loopback is _not_ secure, and that's why we ought
> to (at least) restrict it to secure contexts. It's bad enough that
> `https://totally-authenticated-endpoint.com` can attack your antivirus
> software when you explicitly visit that site. It's significantly worse if
> your coffee shop can do the same when you visit any plaintext site.

They could still redirect you to an endpoint under their control so
I'm not really sure you're doing much there if anything. At least with
HTTP at some point browsers will indicate that unsafe things are
happening (and HTTP will go away at some point).


-- 
https://annevankesteren.nl/

Received on Tuesday, 27 September 2016 08:38:49 UTC