Issue 657799 link

Starred by 3 users

Issue metadata

Status:	Assigned
Owner:	█ mkwst@chromium.org Buried. Ping if important.
Components:	Blink>SecurityFeature
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Task
OWP-Design-No Hotlist-Interop OWP-Standards-UnofficialSpec OWP-Type-Deprecation migrated-launch-owp

Deprecate loopback access from non-secure contexts.

Project Member Reported by mkwst@chromium.org, Oct 20 2016

Issue description

Apple proposed restricting access to loopback addresses from non-secure contexts in https://lists.w3.org/Archives/Public/public-webappsec/2016Oct/0032.html. This is in-line with the proposals in https://wicg.github.io/cors-rfc1918/ that we're experimenting with, and Mozilla seems on board as well: https://lists.w3.org/Archives/Public/public-webappsec/2016Oct/0037.html

Project Member

Comment 1 by bugdroid1@chromium.org, Oct 20 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4eee3895bfebed995767c28b9b41c42004ce47f8

commit 4eee3895bfebed995767c28b9b41c42004ce47f8
Author: mkwst <mkwst@chromium.org>
Date: Thu Oct 20 15:41:14 2016

Add metrics to measure localhost resources in non-secure contexts.

BUG=657799

Review-Url: https://chromiumcodereview.appspot.com/2433413003
Cr-Commit-Position: refs/heads/master@{#426481}

[modify] https://crrev.com/4eee3895bfebed995767c28b9b41c42004ce47f8/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/4eee3895bfebed995767c28b9b41c42004ce47f8/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
[modify] https://crrev.com/4eee3895bfebed995767c28b9b41c42004ce47f8/tools/metrics/histograms/histograms.xml

Comment 2 by rbyers@chromium.org, Nov 18 2016

Components: Blink>SecurityFeature

Comment 3 by owe...@chromium.org, Sep 12 2017

Labels: migrated-launch-owp Type-Task

This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge

Comment 4 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 5 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Comment 6 by phistuck@chromium.org, Mar 3 2018

Labels: Hotlist-Interop

►

Issue 657799 link

Issue metadata

Deprecate loopback access from non-secure contexts.

Issue description

Comment 1 by bugdroid1@chromium.org, Oct 20 2016

Comment 1 Deleted

Comment 2 by rbyers@chromium.org, Nov 18 2016

Comment 2 Deleted

Comment 3 by owe...@chromium.org, Sep 12 2017

Comment 3 Deleted

Comment 4 by est...@chromium.org, Nov 10 2017

Comment 4 Deleted

Comment 5 by est...@chromium.org, Feb 18 2018

Comment 5 Deleted

Comment 6 by phistuck@chromium.org, Mar 3 2018

Comment 6 Deleted

Sign in to add a comment