W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: Restrict loopback address to Secure Contexts?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 27 Sep 2016 10:38:21 +0200
Message-ID: <CADnb78h2rDa8qGNPyHLN_2-ogUuJp7EJ6869g=D1Manjwghzdw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Crispin Cowan <crispin@microsoft.com>, "wilander@apple.com" <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Sep 27, 2016 at 10:31 AM, Mike West <mkwst@google.com> wrote:
> I'd argue that talking to loopback is _not_ secure, and that's why we ought
> to (at least) restrict it to secure contexts. It's bad enough that
> `https://totally-authenticated-endpoint.com` can attack your antivirus
> software when you explicitly visit that site. It's significantly worse if
> your coffee shop can do the same when you visit any plaintext site.

They could still redirect you to an endpoint under their control so
I'm not really sure you're doing much there if anything. At least with
HTTP at some point browsers will indicate that unsafe things are
happening (and HTTP will go away at some point).

Received on Tuesday, 27 September 2016 08:38:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC