On Tue, Sep 27, 2016 at 10:38 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:
> On Tue, Sep 27, 2016 at 10:31 AM, Mike West <mkwst@google.com> wrote:
> > I'd argue that talking to loopback is _not_ secure, and that's why we
> ought
> > to (at least) restrict it to secure contexts. It's bad enough that
> > `https://totally-authenticated-endpoint.com` can attack your antivirus
> > software when you explicitly visit that site. It's significantly worse if
> > your coffee shop can do the same when you visit any plaintext site.
>
> They could still redirect you to an endpoint under their control so
> I'm not really sure you're doing much there if anything. At least with
> HTTP at some point browsers will indicate that unsafe things are
> happening (and HTTP will go away at some point).
>
With the caveat that top-level navigation is somewhat more noticeable than
injecting an iframe or image, yes. Which is why the preflight work is still
necessary, and why HTTP is, in general, sadness.
-mike