W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: Restrict loopback address to Secure Contexts?

From: Mike West <mkwst@google.com>
Date: Tue, 27 Sep 2016 10:41:03 +0200
Message-ID: <CAKXHy=cEhYYNLObZh70OVOowy+7rRrcVgXWXhC4Hgdxxm9BMAg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Crispin Cowan <crispin@microsoft.com>, "wilander@apple.com" <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Sep 27, 2016 at 10:38 AM, Anne van Kesteren <annevk@annevk.nl>

> On Tue, Sep 27, 2016 at 10:31 AM, Mike West <mkwst@google.com> wrote:
> > I'd argue that talking to loopback is _not_ secure, and that's why we
> ought
> > to (at least) restrict it to secure contexts. It's bad enough that
> > `https://totally-authenticated-endpoint.com` can attack your antivirus
> > software when you explicitly visit that site. It's significantly worse if
> > your coffee shop can do the same when you visit any plaintext site.
> They could still redirect you to an endpoint under their control so
> I'm not really sure you're doing much there if anything. At least with
> HTTP at some point browsers will indicate that unsafe things are
> happening (and HTTP will go away at some point).

With the caveat that top-level navigation is somewhat more noticeable than
injecting an iframe or image, yes. Which is why the preflight work is still
necessary, and why HTTP is, in general, sadness.

Received on Tuesday, 27 September 2016 08:41:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC