1346835 - Stop treating 'localhost' as securely delivered for the purposes of Secure Contexts

Status: RESOLVED INVALID

(Core :: DOM: Security, enhancement, P3)

Description

[Jonathan Watt [:jwatt]]

In bug 1220810 comment 7 the decision was made that we would NOT ensure that localhost resolves to a loopback address. The result is that the text at:

https://w3c.github.io/webappsec-secure-contexts/#localhost

does not allow us to consider treating 'localhost' as secure so we should stop doing that.

Fixing this will probably annoy a lot of developers.

Comment 1

[Daniel Veditz [:dveditz]]

Can we flag the channel in some way to say whether localhost did or didn't resolve to loopback, so we can set the isSecure flag appropriately? That still causes problems for the mixed-content blocker (potentially not blocking "localhost" scripts that end up coming from elsewhere) but at least gets the right value for documents on localhost.

Otherwise we have a choice of treating it as insecure (annoying a lot of developers because we're breaking the usual case) or treating it as secure and being wrong when people play stupid hosts file games.

I know! We can add a pref...

Comment 2

[Daniel Veditz [:dveditz]]

Another option might be to save global state about whether or not localhost resolves to loopback, with states {unknown, yes, no}, and then make the obvious choices  from there.

Comment 3

[Christoph Kerschbaumer [:ckerschb, back Sept 8th]]

I think we haven't made a decision for this as of now. Putting in the backlog for now. Once we have made a decision we should make sure it somehow aligns with our decision within Bug 903966.

Comment 4

[Anne (:annevk)]

It seems we might well fix bug 1220810 after all in which case this ends up being INVALID.

Comment 6

[Frédéric Wang (:fredw)]

(In reply to Anne (:annevk) from comment #4)

It seems we might well fix bug 1220810 after all in which case this ends up being INVALID.

This is done, so resolving as INVALID.