New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 669047 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Nov 2016
Cc:
mkwst@chromium.org
est...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Insecure URL Tag on Localhost Addresses

Reported by etci...@gmail.com, Nov 28 2016 
Chrome Version       : 57.0.2931.0 (Developer Build) (32-bit)

The http://localhost URL will not be tagged as insecure (which is OK), but http://localhost.internationalcorporation.com will show "INSECURE" even when it resolves to 127.0.0.1

Please don't show insecure when it resolves to 127.0.0.1 regardless of URL. There is no exposure to the internet and this tag will seed baseless distrust in local services.

Thank you.

Comment 1 by morettis...@gmail.com, Nov 28 2016 

I was on my email

Comment 2 by manoranj...@chromium.org, Nov 29 2016

Labels: M-57

Comment 3 by hdodda@chromium.org, Nov 29 2016

Labels: TE-NeedsTriageHelp

Comment 4 by davidben@chromium.org, Nov 29 2016

Cc: mkwst@chromium.org est...@chromium.org
Status: WontFix (was: Unconfirmed)
This is working as intended. An attacker can direct any host to 127.0.0.1 by spoofing DNS. If we let that through, an attacker can compromise random origins depending on what kinds of services are running locally on the user's machine.

The localhost exception requires that we be able to securely resolve that name to a local service at every stage, including DNS.

Sign in to add a comment