Re: Access to localhost to be outlawed? from Anders Rundgren on 2015-03-17 (public-webpayments@w3.org from March 2015)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 17 Mar 2015 16:06:37 +0100
To: Randall Leeds <randall.leeds@gmail.com>, Melvin Carvalho <melvincarvalho@gmail.com>
CC: Web Payments CG <public-webpayments@w3.org>
Message-ID: <550842FD.8070002@gmail.com>

On 2015-03-17 15:57, Randall Leeds wrote:
> I'm not sure I agree. The discussion seems to talk about user-initiated actions in a way
 > that makes me think that clicking a link or button or otherwise taking some action
 > that causes a subresource to be loaded from localhost is fine. What is not fine is unsolicited attempts to access the local network.
>
> Are you sure this presents a problem for you?

There's obviously something wrong when services like DropBox must issue server-certificates
(mixing http/https is being outlawed) pointing to 127.0.0.1:
https://code.google.com/p/chromium/issues/detail?id=378566#c29

The security folks may have gotten what they wanted, the market certainly did not.

There are no agreements between the browser-vendors on these topics either.

Anders

>
> On Tue, Mar 17, 2015 at 7:53 AM Melvin Carvalho <melvincarvalho@gmail.com <mailto:melvincarvalho@gmail.com>> wrote:
>
>     On 17 March 2015 at 15:48, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>         On 2015-03-17 15:14, Randall Leeds wrote:
>
>             What's this got to do with payments? What do DropBox and Spotify depend on that's relevant here?
>
>
>         DropBox and Spotify depend on browser bypass schemes using localhost.
>
>         Payments may do that as well as David Nicol writes here:
>         https://lists.w3.org/Archives/__Public/public-webpayments/__2014Oct/0194.html <https://lists.w3.org/Archives/Public/public-webpayments/2014Oct/0194.html>
>
>         GitHub use another browser bypass scheme:
>         github-windows://openRepo/http__s://github.com/cyberphone/__webpkisuite-4-android <https://github.com/cyberphone/webpkisuite-4-android>
>
>
>     Yes, I also use localhost for payments from the browser.
>
>     Added my +1 to the call for WONTFIX on this issue.
>
>     I locking down the browser in this way will hinder a lot of legitimate use cases, and provide minimal incremental security.
>
>
>         Anders
>
>
>             On Tue, Mar 17, 2015 at 12:10 AM Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@__gmail.com <mailto:anders.rundgren.net@gmail.com>>> wrote:
>
>             https://code.google.com/p/____chromium/issues/detail?id=____378566 <https://code.google.com/p/__chromium/issues/detail?id=__378566> <https://code.google.com/p/__chromium/issues/detail?id=__378566 <https://code.google.com/p/chromium/issues/detail?id=378566>>
>
>                  Since popular services like DropBox and Spotify depend on this non-standardized
>                  way of bypassing the browser, I think this strengthens my argument that we really
>                  need a standard way to do this.
>
>                  The time for that is now.
>
>                  Anders
>
>
>

Received on Tuesday, 17 March 2015 15:07:28 UTC