1289876 - requests to http://127.0.0.1 from https-served pages should not cause mixed content warnings

Status: RESOLVED DUPLICATE of bug 903966

(Core :: DOM: Security, defect, P3)

Description

[Pedro Morte Rolo]

Attachment: Screen Shot 2016-07-27 at 19.57.04.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36

Steps to reproduce:

I made an application that serves jsonp via http and made it run on my machine.
I made a web page that performs jsonp requests against http://127.0.0.1:<port>/path.
I copied my web page into a https served public folder.
I loaded the page with a https:// url


Actual results:

when performing the requests to 127.0.0.1 the page is marked as unsafe due to mixed content.


Expected results:

The requests against 127.0.0.1 should have no effect on the mixed content status of the webpage, according to this w3c draft change: 

<<Among other things, this means that http://127.0.0.1/ will not be considered mixed content when loaded in an otherwise secure page.>>

https://github.com/w3c/webappsec-mixed-content/commit/349501cdaa4b4dc1e2a8aacb216ced58fd316165

Comment 1

[Daniel Veditz [:dveditz]]

This is a spec change for mixed-content-blocking that we have not implemented yet.

Comment 2

[Daniel Veditz [:dveditz]]

This was fixed in bug 903966 for Firefox 55. The description of this bug ("http://127.0.0.1") is closer to what was actually implemented than the summary of that older bug ("localhost"). We're still arguing about using the named version because--stupid as it is--we have found cases in the wild where people have mapped localhost to remote machines rather than the loopback address.