W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: Restrict loopback address to Secure Contexts?

From: Eduardo' Vela\ <evn@google.com>
Date: Tue, 27 Sep 2016 08:42:33 +0000
Message-ID: <CAFswPa-bbBr7GgVbEC5KYqgo1Y1Rgm0PaTT+=oBXFQWG06Mh2Q@mail.gmail.com>
To: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Crispin Cowan <crispin@microsoft.com>, "wilander@apple.com" <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
An attacker that can inject code to talk to 127.0.0.1 van also inject code
that iframes an https site that talks to 127.0.0.1. Blocking access to
127.0.0.1 from HTTP sites doesn't help the user, does it?

The only argument I can imagine is that a 127.0.0.1 web server mistakenly
allows access from http://onesite.com to fo scare stuff, and such attack
would be harder to achieve if we force secure origins to talk to local host.

However, there are legitimate use cases for http sites to talk to
localhost.. so I would rather it was left allowed.

On Tue, Sep 27, 2016, 10:34 Mike West <mkwst@google.com> wrote:

> On Tue, Sep 27, 2016 at 9:44 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
>
> On Tue, Sep 27, 2016 at 6:37 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
> > My 2c: it is just plain weird to allow a seemingly powerful feature
> > like connecting to localhost from http sites (insecure contexts) but
> > block it from https sites (secure contexts). So, I am all for allowing
> > that.
>
> That really depends on whether it is secure or not, no? If we want to
> establish trust in HTTPS and distrust in HTTP, copying insecure
> features from HTTP to HTTPS would be a bad move.
>
>
> I'd argue that talking to loopback is _not_ secure, and that's why we
> ought to (at least) restrict it to secure contexts. It's bad enough that `
> https://totally-authenticated-endpoint.com` can attack your antivirus
> software when you explicitly visit that site. It's significantly worse if
> your coffee shop can do the same when you visit any plaintext site.
>
> -mike
>
Received on Tuesday, 27 September 2016 08:43:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC