New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 753805 link

Starred by 6 users
Status: Duplicate
Merged: issue 412058
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Oct 2017
Cc:
mkwst@chromium.org
elawrence@chromium.org
est...@chromium.org
rbasuvula@chromium.org
maxkirsch@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

http://localhost is considered mixed content

Reported by raniel...@gmail.com, Aug 9 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.31 Safari/537.36

Steps to reproduce the problem:
According to https://sites.google.com/a/chromium.org/dev/Home/chromium-security/security-faq?pli=1#TOC-Which-origins-are-secure- it has the following:

Which origins are "secure"?

Secure origins are those that match at least one of the following (scheme, host, port) patterns:
(https, *, *)
(wss, *, *)
(*, localhost, *)
(*, 127/8, *)
(*, ::1/128, *)
(file, *, —)
(chrome-extension, *, —)

It states that localhost is considered a secure origin, but chrome on all platforms doesn't treat it as such. 

What is the expected behavior?
*://localhost/ should be treated as secure

What went wrong?
get security errors

Did this work before? N/A 

Chrome version: 61.0.3163.31  Channel: beta
OS Version: 10.0
Flash Version: 

https://bugs.chromium.org/p/chromium/issues/detail?id=362214 indicated that this was fixed at one point.

Comment 1 by est...@chromium.org, Aug 9 2017

Cc: elawrence@chromium.org mkwst@chromium.org
Components: Blink>SecurityFeature>SecureContexts
Labels: OS-Android OS-Chrome OS-Linux OS-Mac
Summary: http://localhost is considered mixed content (was: http://localhost/ is not considered secure)
I believe the particular issues here are that http://localhost is blocked as mixed content, and certificate errors are not ignored on https://localhost. The latter is issue 717340.

Mike, do we have a master bug for 'let localhost be localhost'? I think we need to figure out under what circumstances localhost is not localhost in Chrome today, fix or document those, and then we want to make http://localhost not be mixed content, yeah?

Comment 2 by kenrb@chromium.org, Aug 9 2017

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 3 Deleted

Comment 4 by raniel...@gmail.com, Aug 9 2017 

Yes, both issues are exactly what we encountered.

Comment 5 by est...@chromium.org, Aug 9 2017

Cc: est...@chromium.org

Comment 6 by maxkirsch@chromium.org, Aug 9 2017

Cc: maxkirsch@chromium.org

Comment 7 by rbasuvula@chromium.org, Aug 14 2017

Cc: rbasuvula@chromium.org
Labels: TE-NeedsTriageHelp
This looks like issue with http://localhost,In-house(TE)team not having the permission to create localhost(scheme, host, port), hence adding the respective label for it to  triage further.

Thank You!

Comment 8 by jochen@chromium.org, Oct 5 2017

Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 9 by mkwst@chromium.org, Oct 5 2017

Mergedinto: 412058
Status: Duplicate (was: Assigned)

Sign in to add a comment