Closed Bug 1605083 Opened 5 years ago Closed 5 years ago

Prompt to ignore CORS checking between different localhost ports

Categories

(Core :: DOM: Security, enhancement)

71 Branch
enhancement
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: prographodeveloper, Unassigned, NeedInfo)

Details

(Keywords: parity-chrome, parity-safari)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.4 Safari/605.1.15

Steps to reproduce:

I'm developing, so ... https://localhost

Actual results:

Firefox is complaining https://localhost... this is very annoying for development.

Chrome and Safari immediately display "Allow" option on the page, then works for everything.

Expected results:

Please allow option to turn off all checking for localhost and always trust for all connections including cross requests (eg wss to stuff running on localhost). thanks.

(In reply to prographodeveloper from comment #0)

Please allow option to turn off all checking for localhost

See bug 1565220, comment 1.

Chrome and Safari immediately display "Allow" option on the page, then works for everything.

Seems sensible enough to display something like a notification bar for this. Confirming as a valid enhancement request.

Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Summary: Force FF to trust localhost → Prompt whether to allow loading localhost cross-origin elements

(In reply to Gingerbread Man from comment #1)

(In reply to prographodeveloper from comment #0)

Please allow option to turn off all checking for localhost

See bug 1565220, comment 1.

This is for file: protocol pages I don't think this is relevant.

I think the correct module for this would be the permission manager but I'm also not certain.

Component: DOM: Security → Permission Manager

Why not DOM Security? Permission Manager is about permission manager internals, mostly, which this is not, right?

Component: Permission Manager → DOM: Security

Changed summary in an attempt to better describe the request, but I'm still not sure it's what you really want. I'm not sure why "local development" ignoring CORS helps you because when you deploy you're still going to have to deal with CORS so shouldn't that be part of your work?

Summary: Prompt whether to allow loading localhost cross-origin elements → Prompt to ignore CORS checking between different localhost ports

Hey prographodeveloper,

Looking back at the initial bug request, are you able to provide us with some more details of what the code is doing?

Could you provide a screenshot of the approval button that Safari/Chrome provide too?

Thanks!

Flags: needinfo?(prographodeveloper)

We'd need strong justification for violating the same origin policy. Just because it's "localhost" doesn't mean we can ignore the "port" part of the origin triple of scheme-host-port. This should be discussed on a forum somewhere to get a lot more buy-in.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: