New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 607878 link

Starred by 14 users

Issue metadata

Status: Fixed
Owner:
OOO until 4th
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Blocked on:
issue 691930


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment

Carve out a mixed content exception for 'http://127.0.0.1'

Project Member Reported by mkwst@chromium.org, Apr 29 2016

Issue description

Currently, mixed content checks block http://127.0.0.1 from loading in a page delivered over TLS. I'm (belatedly) coming around to the idea that that restriction does more harm than good. In particular, I'll note that folks are installing new trusted roots and self-signing certs for that IP address, exposing themselves to additional risk for minimal benefit. Helpful locally installed software is doing the same, with even more associated risk.

I'd like to change MIX to use the Secure Contexts spec's notion of "potentially trustworthy" origins as opposed to toggling strictly based on the URL's protocol. This would be a normative change that would force us back to CR again. shrug Seems like it might be worth doing anyway.

See https://github.com/w3c/webappsec-mixed-content/issues/4.
 

Comment 1 by mkwst@chromium.org, Apr 29 2016

Cc: rsleevi@chromium.org est...@chromium.org

Comment 2 by mkwst@chromium.org, Apr 29 2016

Cc: palmer@chromium.org evn@google.com jsc...@chromium.org
+some people who have asked me about this in the past.
Blah. While I don't have a good argument against it (... yet?), I'm pretty opposed to this. I think it goes backwards on our own statements with respect to blocking public/private networks, as http://127.0.0.1 is a terrible source for exploiting users. Much like we worked hard to deprecated NPAPI, I feel like this effectively defeats the security mitigations put forward by Chrome Native Messaging, and allows significantly more attack surface to be exposed to the drive-by web. In the state of the world today, if you wish to actively expose such a service, you either need CNM (which I believe requires admin privileges to get to?) or to install a root cert (which does require some form of powerful privileges on Windows, although Linux/OS X can be accomplished with native code execution).

While I'm sympathetic to "Well, everyone is screwing up security so badly, so we should stop trying to secure users" - though phrased pejoratively, I truly do understand and sympathize with the sentiment - I feel like this opens a bottle for which we'll 'practically' never put the genie back in, and drag others with us.

But I also don't have the energy or time for the endless discussions that would try to convince me to recant, and I fully know that I don't have the compelling arguments to try to show otherwise. So... this makes me very sad, very unhappy, but there's enough people with enough time pushing for it, that I'll probably give up on this matter anyways. So I defer to Justin and just shrug and sob.
Put differently, in my view, the burden to run http://127.0.0.1 is sufficiently low that we are allowing an easier mechanism for poorly written software to lead to Chrome users being exploited. While we can haggle about the scope and depth of poorly written software, and we can haggle about whether Chrome's current policies encourage software to be written even worse, I do hope we can at least agree to that point - that it allows and encourages a significantly larger attack surface, while in other areas, we've been trying very hard to reduce that attack surface.

Comment 5 by jsc...@chromium.org, Apr 29 2016

@rsleevi - You're still very firmly in "I don't have a good argument against it" territory. I strongly agree that we need to block localhost access by default, but that's an entirely orthogonal problem. Because as long as HTTP sites can access localhost, blocking it as mixed-content is no a barrier at all. Rather, it's as likely to encourage sites to use HTTP where they shouldn't.

There's really no good counter to doing this. The point of blocking mixed-content is to protect against transports that don't provide integrity or confidentiality, and by any reasonable measure localhost meets that bar.

Comment 6 by mkwst@chromium.org, Apr 29 2016

@rsleevi: Yup. I totally understand, and I have more or less the same visceral reaction to the proposal. I've ended up coming down on Justin's conclusion: MIX deals with the transport, and it doesn't do a good job dealing with the public/private distinction (especially given the unrestricted access today over HTTP). In the longer term, https://mikewest.github.io/cors-rfc1918/ is what I have in mind as a mechanism for dealing with this kind of thing, and I'm getting pretty close to a vaguely almost partially somewhat halfway functional prototype in Blink. Once we figure out how to ship that, I'll need a ton of help migrating it up the stack, but I think it's doable and worth the (sure and certain) pain.
Mike, do you have more details on the use cases that you can share? I feel like you might have told me IRL but I forget... Is it mostly developers testing stuff who run into this problem?

Also: would this apply to "foo.localhost" as well? On some platforms, in some configurations, local hostnames can get resolved to the public internet (see https://bugs.chromium.org/p/chromium/issues/detail?id=455825#c5 for example). In Chrome we sort of sometimes kind of mitigate this by usually short-circuiting local hostnames to 127.0.0.1, but I wonder if the mixed or secure contexts spec should make a note of this possibility. (https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy alludes to it, I suppose.)

Comment 8 by mkwst@chromium.org, May 2 2016

> Mike, do you have more details on the use cases that you can share? I feel like you might have told me IRL but I forget... Is it mostly developers testing stuff who run into this problem?

No, developers running things locally have a million ways to Do It Right. I'm more concerned about things like antivirus local proxies (e.g. everything Tavis has found recently), and less objectionable local applications like Spotify's `*.spotilocal.com` and Pebble's development tools.

> Also: would this apply to "foo.localhost" as well? On some platforms, in some configurations, local hostnames can get resolved to the public internet (see https://bugs.chromium.org/p/chromium/issues/detail?id=455825#c5 for example). 

I keep forgetting about this. Would either you or Ryan be willing to send a message to public-webappsec@ about this? I don't know enough about the ins and outs of resolution to have a meaningful discussion, but I think it's something we ought to resolve one way or the other in the context of the Secure Contexts spec.

> In Chrome we sort of sometimes kind of mitigate this by usually short-circuiting local hostnames to 127.0.0.1,

Could we do this all the time? Avoiding DNS resolution for `*.localhost` seems like a reasonable thing to do.
> I keep forgetting about this. Would either you or Ryan be willing to send a message to public-webappsec@ about this? I don't know enough about the ins and outs of resolution to have a meaningful discussion, but I think it's something we ought to resolve one way or the other in the context of the Secure Contexts spec.

I don't plan to get involved, because this is behaving exactly as spec'd, so I'm not sure why it keeps coming as a surprise. https://tools.ietf.org/html/rfc6761#section-6.3 - note, it's a SHOULD (not a MUST), and in practice, many platforms' name resolution APIs exploit that SHOULD because they are resolution-agnostic and thus don't impose additional rules (the same reason we get all of the LDH violations being encoded on the wire)

Further, if this bug is meant to give an exception anything other than 127.0.0.1, I think I'm more likely to more strongly object (e.g. to "localhost"/".localhost"). Even with 127.0.0.1, I think the argument for "a-priori secure" is fairly weak, because we know that there will be a number of times where there is no end-to-end encryption. 

> Could we do this all the time? Avoiding DNS resolution for `*.localhost` seems like a reasonable thing to do.

I am pretty opposed to this. While I can cite the RFC, I don't believe it's a reasonable thing to do, nor do I believe that every UA implementation should be required to include their own name resolver (... as we do) or stub all the name resolution APIs (... as we do). That's added complexity for a problem that sounds like we're just trying to take the shortcircuit out.

That approach presumes and presupposes that the only name resolution method UAs should support is DNS. That's something Anne and I have struggled with in the URL spec, because in practice and as deployed for the past 20+ years, that's not the case. A call to a name resolution API may support legacy technologies (like WINS or NETBIOS) or new technologies (like Bonjour), and may support any variety of local configurations (file based, or for example, on Windows, the NRPT).

If we're granting exceptions, explicit IPs of 127/8 (... which can still end up going over the network via forwarding daemons or alternative NDIS interfaces) and ::0 should be the extent of it.
Cc: jww@chromium.org mkwst@chromium.org iyengar@chromium.org
 Issue 612180  has been merged into this issue.
Project Member

Comment 11 by sheriffbot@chromium.org, Jun 1 2016

Labels: -M-52 M-53 MovedFrom-52
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 12 by bugdroid1@chromium.org, Jun 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

commit 130ee686fa00b617bfc001ceb3bb49782da2cb4e
Author: mkwst <mkwst@chromium.org>
Date: Wed Jun 22 18:35:47 2016

Stop blocking 'http://127.0.0.1/' as mixed content.

Currently, mixed content checks block http://127.0.0.1 from loading in a
page delivered over TLS. I'm (belatedly) coming around to the idea that
that restriction does more harm than good. In particular, I'll note that
folks are installing new trusted roots and self-signing certs for that
IP address, exposing themselves to additional risk for minimal benefit.
Helpful locally installed software is doing the same, with even more
associated risk.

This patch aligns our mixed content checks with the Secure Contexts
notion of "potentially trustworthy", allowing 'http://127.0.0.1'
accordingly.

BUG= 607878 
R=estark@chromium.org,rsleevi@chromium.org

Review-Url: https://codereview.chromium.org/1931063004
Cr-Commit-Position: refs/heads/master@{#401363}

[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/chrome/browser/ssl/ssl_browser_tests.cc
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/chrome/test/data/ssl/frame_left.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/chrome/test/data/ssl/page_displays_insecure_content.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/chrome/test/data/ssl/page_runs_insecure_content.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/fetch/resources/fetch-test-helpers.js
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/block-mixed-content-nocors.js
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/block-mixed-content.js
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/request-mixed-content-status-blockable-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/request-mixed-content-status-optionally-blockable-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/active-mixed-content-iframe.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/passive-mixed-content-iframe.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/navigation/beacon-cross-origin.https-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/navigation/beacon-cross-origin.https.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/navigation/ping-cross-origin-from-https-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/navigation/resources/ping-cross-origin-from-https-target.html
[delete] https://crrev.com/2daffdccc85520a52ddfaaf8739b3d08517ff1a9/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-iframe-blocked.https-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-async-post-xhr-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-image-with-reload-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-in-iframe-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-in-main-frame-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-resources-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-empty-srcset-in-main-frame-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-eventsource-in-main-frame-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-font-in-main-frame-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-allowed-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-frame-in-data-iframe-in-main-frame-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-allowed-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-allowed-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-expected.txt
[add] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-localhost-allowed.https.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-picture-in-main-frame-blocked.https.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-plugin-in-iframe-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-iframe-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-main-frame-allowed-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-main-frame-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-through-redirection-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-srcset-in-main-frame-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-sync-post-xhr-allowed-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-sync-post-xhr-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-texttrack-in-main-frame-blocked-expected.txt
[delete] https://crrev.com/2daffdccc85520a52ddfaaf8739b3d08517ff1a9/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame-expected.txt
[delete] https://crrev.com/2daffdccc85520a52ddfaaf8739b3d08517ff1a9/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.html
[add] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.https.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/preload-insecure-image-in-main-frame-blocked-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/fetch-insecure-css-image.css
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/fetch-insecure-css-resources.css
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-preloads-insecure-image.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-frame.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-script.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-async-xhr-post.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-css.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-empty-srcset.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-eventsource.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-fetch.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-font.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-formSubmission.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-frame.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-iframe.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-picture.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-plugin.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script-through-redirection.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-srcset.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-sync-xhr-post.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-texttrack.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-invisible-DOM-with-insecure-form.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-script.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-frame.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-script.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-in-frame-blocked.https-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-reportonly.https.php
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-via-pref-image-blocked.https-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-via-pref-image-blocked.https.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-websocket-blocked.https.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/websocket/resources/expect-successful-construction.js
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/websocket/resources/expect-throw-on-construction.js
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-mixed-content-to-outscope-expected.txt
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-inscope.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-outscope.html
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
[modify] https://crrev.com/130ee686fa00b617bfc001ceb3bb49782da2cb4e/third_party/WebKit/Source/core/loader/MixedContentCheckerTest.cpp

We really should make sure that the 'public web can't by default access private web' mechanism lands in the same release as this does.
Have any CLs that try to do that been worked on? This will hit M-53, which branches "real soon now" - any UI changes to accomplish that would also need to be approved and landed "within days", and that seems... a stretch.

I agree, however, that such a change would SIGNIFICANTLY allay my concerns. I'm still not a believer that the current practice is worse than what this allows. But I also shout at clouds from time to time.
Project Member

Comment 15 by sheriffbot@chromium.org, Jul 11 2016

Labels: -M-53 MovedFrom-53
This issue has been moved once and is lower than Pri-1. Removing the milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 16 by bugdroid1@chromium.org, Jul 18 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c9d34b4a2d425b25bdf90e9bf785cd7132f73037

commit c9d34b4a2d425b25bdf90e9bf785cd7132f73037
Author: carlosk <carlosk@chromium.org>
Date: Mon Jul 18 15:45:33 2016

Small improvements to MixedContentChecker.

Just a couple of improvements to MixedContentChecker:
- Remove uneeded check for data protocol: it's already included in the protocols
checked in SecurityOrigin::isSecure.
- Improved check for localhost by name to be more complete.

BUG= 607878 , 624275 

Review-Url: https://codereview.chromium.org/2151473002
Cr-Commit-Position: refs/heads/master@{#406000}

[modify] https://crrev.com/c9d34b4a2d425b25bdf90e9bf785cd7132f73037/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
[modify] https://crrev.com/c9d34b4a2d425b25bdf90e9bf785cd7132f73037/third_party/WebKit/Source/platform/network/NetworkUtils.cpp
[modify] https://crrev.com/c9d34b4a2d425b25bdf90e9bf785cd7132f73037/third_party/WebKit/Source/platform/network/NetworkUtils.h
[modify] https://crrev.com/c9d34b4a2d425b25bdf90e9bf785cd7132f73037/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp

Comment 17 by mkwst@chromium.org, Aug 10 2017

Blockedon: 691930
Labels: Hotlist-EnamelAndFriendsFixIt

Comment 19 by mkwst@chromium.org, Jan 22 2018

Status: Fixed (was: Started)

Sign in to add a comment