Stop treating "http://localhost/" (by name) as mixed content
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox84 | --- | fixed |
People
(Reporter: hirschbeckdaniel, Unassigned, NeedInfo)
References
(Blocks 4 open bugs)
Details
(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])
Comment 2•6 years ago
|
||
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Comment 5•6 years ago
|
||
Comment hidden (obsolete) |
Comment 7•6 years ago
|
||
Comment 8•6 years ago
|
||
Comment 9•6 years ago
|
||
Comment 10•6 years ago
|
||
Updated•6 years ago
|
Comment 11•6 years ago
|
||
Updated•6 years ago
|
Comment 12•6 years ago
|
||
Comment 13•6 years ago
|
||
Updated•6 years ago
|
Comment 14•6 years ago
|
||
Comment 15•6 years ago
|
||
Possible dupe of: Bug 1402530
So I think that isSecureContext
result traverses all loadInfo arguments using IsOriginPotentiallyTrustworthy
either way it should be checked and unified.
Comment 16•6 years ago
|
||
It seems I just don't get to fixing this at the moment - I'll try to find someone in the team to take a look at this one.
Updated•6 years ago
|
Comment 17•5 years ago
|
||
Any updates on this? This is a pretty big issue for me. Trying to run through this tutorial, I installed about 5 CORS plugins before I realized this was a specific issue since Firefox 58.
Comment 18•5 years ago
|
||
Any progress on this? It seems to work fine in Chrome and it would be great to have parity...
Cheers. G.
Comment 19•5 years ago
•
|
||
The WIP patch in Bug 1220810 should address this issue.
Updated•5 years ago
|
Comment 20•5 years ago
|
||
This is pretty important to fix for many companies I guess. We are affected here by using atlassian companion app for attachment editing in confluence. It doesn't work right now with ESR version without setting network.websocket.allowInsecureFromHTTPS to true which would mean more security risks.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 21•4 years ago
|
||
Bug 1220810 landed ; localhost/ and *.localhost/ are treated as "Potentially Trustworthy" as described in https://w3c.github.io/webappsec-secure-contexts/#localhost
Updated•4 years ago
|
Comment 22•4 years ago
|
||
FYI Doc for this captured in Mixed content > Loading locally delivered mixed-resources
For more info see https://bugzilla.mozilla.org/show_bug.cgi?id=1220810#c91 and https://github.com/mdn/sprints/issues/3906#issuecomment-728667532
Updated•4 years ago
|
Description
•