Intent to prototype & ship: Treat localhost addresses as "Potentially Trustworthy"
212 views
Skip to first unread message
Frédéric Wang
Oct 21, 2020, 3:35:22 AM10/21/20
to
Hi,
I'm going to try and land a patch for bug 1220810 today, which makes
localhost addresses secure contexts. It seems there were attempts to
land this change 7 months ago and again 3 months ago, but I can't find
any intent email, so I'm sending this one.
Summary: Ensure that localhost addresses resolve to a loopback address,
thereby ensuring that we can safely treat `http://localhost/` and
`http://*.localhost/` as "Potentially Trustworthy". This addresses
various bug reports from developers and aligns with specifications.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1488740
Standards:
https://w3c.github.io/webappsec-secure-contexts/#localhost
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost
Platform coverage: All
Preference: This will ship enabled by default (existing
network.proxy.allow_hijacking_localhost preference can be used to
disable the hardcoded loopback address and resolve proxy for localhost
but I think it's mostly for internal testing).
DevTools bug: N/A
Other browsers:
Chromium: Shipped since version 83
(https://bugs.chromium.org/p/chromium/issues/detail?id=589141#c15)
WebKit: Considering (https://bugs.webkit.org/show_bug.cgi?id=171934#c73)
web-platform-tests:
This is covered by internal Gecko tests, but I opened
https://bugzilla.mozilla.org/show_bug.cgi?id=1672323 as a follow-up.
--
Frédéric Wang
I'm going to try and land a patch for bug 1220810 today, which makes
localhost addresses secure contexts. It seems there were attempts to
land this change 7 months ago and again 3 months ago, but I can't find
any intent email, so I'm sending this one.
Summary: Ensure that localhost addresses resolve to a loopback address,
thereby ensuring that we can safely treat `http://localhost/` and
`http://*.localhost/` as "Potentially Trustworthy". This addresses
various bug reports from developers and aligns with specifications.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1488740
Standards:
https://w3c.github.io/webappsec-secure-contexts/#localhost
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost
Platform coverage: All
Preference: This will ship enabled by default (existing
network.proxy.allow_hijacking_localhost preference can be used to
disable the hardcoded loopback address and resolve proxy for localhost
but I think it's mostly for internal testing).
DevTools bug: N/A
Other browsers:
Chromium: Shipped since version 83
(https://bugs.chromium.org/p/chromium/issues/detail?id=589141#c15)
WebKit: Considering (https://bugs.webkit.org/show_bug.cgi?id=171934#c73)
web-platform-tests:
This is covered by internal Gecko tests, but I opened
https://bugzilla.mozilla.org/show_bug.cgi?id=1672323 as a follow-up.
--
Frédéric Wang
Reply all
Reply to author
Forward
0 new messages