New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mixed-content: Check that 'http://127.0.0.1/' is not blocked as mixed content #5304
Conversation
Without this some of the upcoming tests will fail due to CORS.
The WPT tests are stored under `testing/web-platform/` in mozilla-central.
… content According to the spec, content from loopback addresses should no longer be treated as mixed content even in secure origins. See: - w3c/webappsec-mixed-content@349501c - https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy The added tests pass in Chrome 53 and later, see: - https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e They will also soon pass in Firefox, see: - https://bugzilla.mozilla.org/show_bug.cgi?id=903966 It is unclear if HTTPS origins should be able to use workers and WebSocket connections through a loopback HTTP address. They are not supported in Chrome (whether this is intentional or not is uncertain) so I chose not to include `websocket-request` and `worker-request` checks for the `loopback-allowed` case. Also note that `localhost` is now also allowed by the spec (as long as the UA guarantees that it resolves to a loopback address), but Chrome does not support it so I chose not to test it either. We should ideally also test the IPv6 loopback address (`::1`), but our testing infrastructure does not seem to like IPv6 addresses. I'll investigate and submit a follow-up PR for that.
Notifying @kristijanburnik. (Learn how reviewing works.) |
cc @mikewest |
*This report has been truncated because the total content is 635514 characters in length, which is in excess of GitHub.com's limit for comments (65536 characters). Firefox (nightly channel)Testing web-platform-tests at revision bc19d30 All results326 tests ran/mixed-content/allowed/http-csp/loopback-ipv4-http/audio-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/audio-tag/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/fetch-request/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/fetch-request/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/form-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/form-tag/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/iframe-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/iframe-tag/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/img-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/img-tag/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/link-css-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/link-css-tag/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/link-prefetch-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/link-prefetch-tag/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/object-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/object-tag/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/picture-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/picture-tag/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/script-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/script-tag/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/video-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/video-tag/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/xhr-request/top-level/keep-scheme-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/loopback-ipv4-http/xhr-request/top-level/no-redirect/loopback-allowed.https.html
/mixed-content/allowed/http-csp/same-host-https/audio-tag/top-level/keep-scheme-redirect/allowed.https.html
/mixed-content/allowed/http-csp/same-host-https/audio-tag/top-level/no-redirect/allowed.https.html
/mixed-content/allowed/http-csp/same-host-https/fetch-request/top-level/keep-scheme-redirect/allowed.https.html
/mixed-content/allowed/http-csp/same-host-https/fetch-request/top-level/no-redirect/allowed.https.html
/mixed-content/allowed/http-csp/same-host-https/form-tag/top-level/keep-scheme-redirect/allowed.https.html
/mixed-content/allowed/http-csp/same-host-https/form-tag/top-level/no-redirect/allowed.https.html
/mixed-content/allowed/http-csp/same-host-https/iframe-tag/top-level/keep-scheme-redirect/allowed.https.html
| |
Chrome (unstable channel)Testing web-platform-tests at revision bc19d30 |
@Ms2ger Could you help me find someone to review this? |
@kristijanburnik and @mikewest seem good targets, and if not they should probably be able to find someone. |
@@ -23,6 +23,7 @@ function MixedContentTestCase(scenario, description, sanityChecker) { | |||
|
|||
var sameOriginHost = location.hostname; | |||
var crossOriginHost = "{{domains[www1]}}"; | |||
var localhostIPv4Host = "127.0.0.1"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is going to work in general. @jgraham will have thoughts, I'm sure, but I don't think we can make the assumption that 127.0.0.1 is actually running a server. It won't be running a server on w3c-test.org
, for instance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jgraham ping ^
…erschb,kmckinley According to the spec, content from loopback addresses should no longer be treated as mixed content even in secure origins. See: - w3c/webappsec-mixed-content@349501c - https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and later. See: - https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e It is unclear if HTTPS origins should be able to use workers and WebSocket connections through a loopback HTTP address. They are not supported in Chrome (whether this is intentional or not is uncertain) so lets just ignore them for now. See also: web-platform-tests/wpt#5304
…erschb,kmckinley According to the spec, content from loopback addresses should no longer be treated as mixed content even in secure origins. See: - w3c/webappsec-mixed-content@349501c - https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and later. See: - https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e It is unclear if HTTPS origins should be able to use workers and WebSocket connections through a loopback HTTP address. They are not supported in Chrome (whether this is intentional or not is uncertain) so lets just ignore them for now. See also: web-platform-tests/wpt#5304
…erschb,kmckinley According to the spec, content from loopback addresses should no longer be treated as mixed content even in secure origins. See: - w3c/webappsec-mixed-content@349501c - https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and later. See: - https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e It is unclear if HTTPS origins should be able to use workers and WebSocket connections through a loopback HTTP address. They are not supported in Chrome (whether this is intentional or not is uncertain) so lets just ignore them for now. See also: web-platform-tests/wpt#5304 UltraBlame original commit: 74f065888725aaeeb6c518cb6c563944f099c054
…erschb,kmckinley According to the spec, content from loopback addresses should no longer be treated as mixed content even in secure origins. See: - w3c/webappsec-mixed-content@349501c - https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and later. See: - https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e It is unclear if HTTPS origins should be able to use workers and WebSocket connections through a loopback HTTP address. They are not supported in Chrome (whether this is intentional or not is uncertain) so lets just ignore them for now. See also: web-platform-tests/wpt#5304 UltraBlame original commit: 74f065888725aaeeb6c518cb6c563944f099c054
…erschb,kmckinley According to the spec, content from loopback addresses should no longer be treated as mixed content even in secure origins. See: - w3c/webappsec-mixed-content@349501c - https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and later. See: - https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e It is unclear if HTTPS origins should be able to use workers and WebSocket connections through a loopback HTTP address. They are not supported in Chrome (whether this is intentional or not is uncertain) so lets just ignore them for now. See also: web-platform-tests/wpt#5304 UltraBlame original commit: 74f065888725aaeeb6c518cb6c563944f099c054
According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:
The added tests pass in Chrome 53 and later, see:
They will also soon pass in Firefox, see:
It is unclear if HTTPS origins should be able to use workers and WebSocket
connections through a loopback HTTP address. They are not supported in Chrome
(whether this is intentional or not is uncertain) so I chose not to include
websocket-request
andworker-request
checks for theloopback-allowed
case.
Also note that
localhost
is now also allowed by the spec (as long as the UAguarantees that it resolves to a loopback address), but Chrome does not
support it so I chose not to test it either.
We should ideally also test the IPv6 loopback address (
::1
), but our testinginfrastructure does not seem to like IPv6 addresses. I'll investigate and
submit a follow-up PR for that.