1399803 - isSecureContext is false for 127.0.0.2, should be true

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P3)

Description

[Frederik Braun [:freddy]]

STR:
0) listen on localhost on e.g., linux
1) Go to http://127.0.0.2/ (which is also localhost)
2) verify that isSecureContext in false in JS via Developer tools

Spec said 127.0.0.1/8 should all be secure, see step 4 of
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy


Our code only does a string match at <https://hg.mozilla.org/mozilla-central/annotate/f9a5e9ed62103c84e4cde915f4d08f1ce71be83e/dom/security/nsContentSecurityManager.cpp#l804>, when in fact it should either do a CIDR match and check for the whole /8 address space (i.e., every IP that starts with '127.').

Chrome does this by first checking whether it's a valid IPv4 address (and not something like 127.evil.com) and then makes sure it's first octet is 127.
See https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp?l=400&rcl=ee63a5ba7429ec1acffb4031c75937afff628068

(This is not a security bug, as this is all about localhost only)

Comment 2

[(no longer active)]

Attachment: Bug 1399803 - Consider all IPv4 loopback addresses as secure context;

Comment 3

[Pulsebot]

Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0c68a3df6ebd
Consider all IPv4 loopback addresses as secure context; r=bzbarsky,dragana

Comment 4

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/0c68a3df6ebd

Comment 5

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/releases/mozilla-beta/rev/0c68a3df6ebd