Closed
Bug 1346835
Opened 7 years ago
Closed 4 years ago
Stop treating 'localhost' as securely delivered for the purposes of Secure Contexts
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
RESOLVED
INVALID
People
(Reporter: jwatt, Unassigned)
References
()
Details
(Whiteboard: [domsecurity-backlog2])
In bug 1220810 comment 7 the decision was made that we would NOT ensure that localhost resolves to a loopback address. The result is that the text at: https://w3c.github.io/webappsec-secure-contexts/#localhost does not allow us to consider treating 'localhost' as secure so we should stop doing that. Fixing this will probably annoy a lot of developers.
Comment 1•7 years ago
|
||
Can we flag the channel in some way to say whether localhost did or didn't resolve to loopback, so we can set the isSecure flag appropriately? That still causes problems for the mixed-content blocker (potentially not blocking "localhost" scripts that end up coming from elsewhere) but at least gets the right value for documents on localhost. Otherwise we have a choice of treating it as insecure (annoying a lot of developers because we're breaking the usual case) or treating it as secure and being wrong when people play stupid hosts file games. I know! We can add a pref...
Updated•7 years ago
|
Flags: needinfo?(mcmanus)
Updated•7 years ago
|
Flags: needinfo?(dveditz)
Comment 2•7 years ago
|
||
Another option might be to save global state about whether or not localhost resolves to loopback, with states {unknown, yes, no}, and then make the obvious choices from there.
Updated•7 years ago
|
Flags: needinfo?(dveditz)
Comment 3•7 years ago
|
||
I think we haven't made a decision for this as of now. Putting in the backlog for now. Once we have made a decision we should make sure it somehow aligns with our decision within Bug 903966.
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
See Also: → 1464998
Comment 4•4 years ago
|
||
It seems we might well fix bug 1220810 after all in which case this ends up being INVALID.
Depends on: let-localhost-be-localhost
Flags: needinfo?(mcmanus)
Comment 6•4 years ago
|
||
(In reply to Anne (:annevk) from comment #4)
It seems we might well fix bug 1220810 after all in which case this ends up being INVALID.
This is done, so resolving as INVALID.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
Updated•2 years ago
|
See Also: let-localhost-be-localhost →
You need to log in
before you can comment on or make changes to this bug.
Description
•