- From: Paul Semel <paulsemel@google.com>
- Date: Tue, 13 Dec 2022 17:10:25 +0100
- To: public-webappsec@w3.org
- Cc: Carlos Joan Rafael Ibarra Lopez <carlosil@google.com>, Mike West <mkwst@google.com>
Hello everyone, I am willing to move forward on this discussion: https://github.com/w3c/webappsec-mixed-content/issues/17 (and more generally concerning literal IP addresses). The goal is to make the spec clearer on the subject. I will resume the proposal here for more visibility. The point is to clarify mixed-content behaviour for literal IP addresses. I will split this into two points, for “Auto-upgrade” and “Block Fetch”: - Auto-upgrade: The idea here is to not upgrade literal IP addresses (all of them). The reason for this is that it is very unlikely we will be able to get a cert for these if we were to do the upgrade. Plus, certificate providers like Let's Encrypt do not provide support for this. For the case of the literal loopback IP address, this is also a way to do what web devs requested, and prevents running into "but it works when I run it locally!". - Block Fetch: Then, to avoid having a loophole in mixed content with literal IP addresses, we would hard block them, independently of the type of the mixed content. However, this does not apply to loopback addresses, since the latter is considered "potentially trustworthy”.. Are there any objections to landing this proposal? Have a great day, — Paul Semel
Received on Tuesday, 13 December 2022 16:14:31 UTC