localhost is considered a SecureContext
Categories
(Core :: DOM: Security, defect, P1)
Tracking
()
People
(Reporter: jkt, Assigned: jkt)
Details
(Keywords: sec-low, Whiteboard: [domsecurity-active])
Bug 1402530 made localhost be considered as a SecureContext, we should either fix that or ensure that we always resolve it locally.
Ideally in a follow up bug we should ensure that we use the same lists to decide if we make carveouts to loopback etc.
Assignee | ||
Comment 1•5 years ago
|
||
Bug 1220810 is to ensure we treat localhost as local.
Updated•5 years ago
|
Updated•5 years ago
|
Comment 2•5 years ago
|
||
What security rating should this get? I'm not sure what the precise danger is. Thanks.
Assignee | ||
Comment 3•5 years ago
|
||
sec-low should be fine, I don't know if there is an obvious attack here just that we explicitly never implemented this as DNS can resolve externally and so anyone that does has the powerful features of SecureContexts enabled over plain text.
https://bugzilla.mozilla.org/show_bug.cgi?id=let-localhost-be-localhost should resolve this issue though.
Comment 4•5 years ago
|
||
It seems this bug is public already with bug 1346835?
Updated•5 years ago
|
Updated•1 year ago
|
Description
•