Closed Bug 1607149 Opened 5 years ago Closed 5 years ago

localhost is considered a SecureContext

Categories

(Core :: DOM: Security, defect, P1)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1346835

People

(Reporter: jkt, Assigned: jkt)

Details

(Keywords: sec-low, Whiteboard: [domsecurity-active])

Bug 1402530 made localhost be considered as a SecureContext, we should either fix that or ensure that we always resolve it locally.

Ideally in a follow up bug we should ensure that we use the same lists to decide if we make carveouts to loopback etc.

Bug 1220810 is to ensure we treat localhost as local.

Group: core-security → dom-core-security
Whiteboard: [domsecurity-active]

What security rating should this get? I'm not sure what the precise danger is. Thanks.

Flags: needinfo?(jkt)

sec-low should be fine, I don't know if there is an obvious attack here just that we explicitly never implemented this as DNS can resolve externally and so anyone that does has the powerful features of SecureContexts enabled over plain text.

https://bugzilla.mozilla.org/show_bug.cgi?id=let-localhost-be-localhost should resolve this issue though.

Flags: needinfo?(jkt)
Keywords: sec-low

It seems this bug is public already with bug 1346835?

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.