On Tue, Sep 27, 2016 at 10:42 AM, Eduardo' Vela" <Nava> <evn@google.com>
wrote:
> An attacker that can inject code to talk to 127.0.0.1 van also inject code
> that iframes an https site that talks to 127.0.0.1. Blocking access to
> 127.0.0.1 from HTTP sites doesn't help the user, does it?
>
An HTTPS site framed in an HTTP top-level site is not considered a "secure
context" (see
https://w3c.github.io/webappsec-secure-contexts/#examples-framed for some
examples).
> The only argument I can imagine is that a 127.0.0.1 web server mistakenly
> allows access from http://onesite.com to fo scare stuff, and such attack
> would be harder to achieve if we force secure origins to talk to local host.
>
I think this is harder to exploit than you're suggesting, given the above.
The attacker would need to navigate the user to a top-level secure context
that they control. Totally not impossible, but not as easy or as invisible
as injecting elements into an existing page.
> However, there are legitimate use cases for http sites to talk to
> localhost.. so I would rather it was left allowed.
>
What kinds of use cases are you thinking of?
-mike