Closed Bug 1535919 Opened 6 years ago Closed 5 years ago

Allow/ignore CSP `upgrade-insecure-requests` on localhost?

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
64 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1447784

People

(Reporter: u611961, Unassigned)

Details

(Keywords: good-first-bug, Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36

Steps to reproduce:

Set CSP upgrade-insecure-requests.

Actual results:

No resources loaded on localhost without TLS certificate.

Expected results:

Presuming no security risk; all resources should be loaded as if they were served over HTTPS.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Since http://localhost/ (and IP address equivs) are supposed to be considered Secure Contexts we shouldn't upgrade them.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: good-first-bug
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

Within NS_ShouldSecureUpgrade in nsNetutil.cpp we could just check for localhost. Or even better, I guess we already have a subroutine within MixedContentBlocker which should provide the carveout we are looking for here as well.

Hi is anyone working on this? I'm new here and would like to contribute

Flags: needinfo?(network)

I cannot reproduce this bug and this looks like it is doing exactly what ckerschb suggested in Comment #2.
Therefore I suggest this bug is marked fixed and closed.

Flags: needinfo?(ckerschb)

I can't reproduce this bug either.

Flags: needinfo?(network)

This Bug was filed a year ago, probably before jkt fixed it within Bug 1447784, hence marking as duplicate.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(ckerschb)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.