Closed Bug 1399803 Opened 2 years ago Closed 2 months ago
Secure Context is false for 127 .0 .0 .2, should be true
47 bytes, text/x-phabricator-request
|Details | Review|
STR: 0) listen on localhost on e.g., linux 1) Go to http://127.0.0.2/ (which is also localhost) 2) verify that isSecureContext in false in JS via Developer tools Spec said 127.0.0.1/8 should all be secure, see step 4 of https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy Our code only does a string match at <https://hg.mozilla.org/mozilla-central/annotate/f9a5e9ed62103c84e4cde915f4d08f1ce71be83e/dom/security/nsContentSecurityManager.cpp#l804>, when in fact it should either do a CIDR match and check for the whole /8 address space (i.e., every IP that starts with '127.'). Chrome does this by first checking whether it's a valid IPv4 address (and not something like 127.evil.com) and then makes sure it's first octet is 127. See https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp?l=400&rcl=ee63a5ba7429ec1acffb4031c75937afff628068 (This is not a security bug, as this is all about localhost only)
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/0c68a3df6ebd Consider all IPv4 loopback addresses as secure context; r=bzbarsky,dragana
Assignee: nobody → ehsan
You need to log in before you can comment on or make changes to this bug.