Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mixed-content: Check that 'http://127.0.0.1/' is not blocked as mixed content #5304

Closed
wants to merge 3 commits into from

Conversation

poiru
Copy link

@poiru poiru commented Mar 31, 2017

According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:

The added tests pass in Chrome 53 and later, see:

They will also soon pass in Firefox, see:

It is unclear if HTTPS origins should be able to use workers and WebSocket
connections through a loopback HTTP address. They are not supported in Chrome
(whether this is intentional or not is uncertain) so I chose not to include
websocket-request and worker-request checks for the loopback-allowed
case.

Also note that localhost is now also allowed by the spec (as long as the UA
guarantees that it resolves to a loopback address), but Chrome does not
support it so I chose not to test it either.

We should ideally also test the IPv6 loopback address (::1), but our testing
infrastructure does not seem to like IPv6 addresses. I'll investigate and
submit a follow-up PR for that.

Without this some of the upcoming tests will fail due to CORS.
The WPT tests are stored under `testing/web-platform/` in
mozilla-central.
… content

According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:
- w3c/webappsec-mixed-content@349501c
- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

The added tests pass in Chrome 53 and later, see:
- https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

They will also soon pass in Firefox, see:
- https://bugzilla.mozilla.org/show_bug.cgi?id=903966

It is unclear if HTTPS origins should be able to use workers and WebSocket
connections through a loopback HTTP address. They are not supported in Chrome
(whether this is intentional or not is uncertain) so I chose not to include
`websocket-request` and `worker-request` checks for the `loopback-allowed`
case.

Also note that `localhost` is now also allowed by the spec (as long as the UA
guarantees that it resolves to a loopback address), but Chrome does not
support it so I chose not to test it either.

We should ideally also test the IPv6 loopback address (`::1`), but our testing
infrastructure does not seem to like IPv6 addresses. I'll investigate and
submit a follow-up PR for that.
@wpt-pr-bot
Copy link
Collaborator

Notifying @kristijanburnik. (Learn how reviewing works.)

@poiru
Copy link
Author

poiru commented Mar 31, 2017

cc @mikewest

@w3c-bots
Copy link

*This report has been truncated because the total content is 635514 characters in length, which is in excess of GitHub.com's limit for comments (65536 characters).

View the complete job log.

Firefox (nightly channel)

Testing web-platform-tests at revision bc19d30
Using browser at version BuildID 20170331102157; SourceStamp 8df9fabf2587b7020889755acb9e75b664fe13cf
Starting 10 test iterations
All results were stable

All results

326 tests ran
/mixed-content/allowed/http-csp/loopback-ipv4-http/audio-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: audio-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/audio-tag/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: audio-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/fetch-request/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: fetch-request\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/fetch-request/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: fetch-request\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/form-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
TIMEOUT
/mixed-content/allowed/http-csp/loopback-ipv4-http/form-tag/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
TIMEOUT
/mixed-content/allowed/http-csp/loopback-ipv4-http/iframe-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: iframe-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/iframe-tag/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: iframe-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/img-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: img-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/img-tag/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: img-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/link-css-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: link-css-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/link-css-tag/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: link-css-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/link-prefetch-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: link-prefetch-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/link-prefetch-tag/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: link-prefetch-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/object-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: object-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/object-tag/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: object-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/picture-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: picture-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/picture-tag/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: picture-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/script-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: script-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/script-tag/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: script-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/video-tag/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: video-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/video-tag/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: video-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/xhr-request/top-level/keep-scheme-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: xhr-request\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/loopback-ipv4-http/xhr-request/top-level/no-redirect/loopback-allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: loopback-ipv4-http\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: xhr-request\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/same-host-https/audio-tag/top-level/keep-scheme-redirect/allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: same-host-https\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: audio-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/same-host-https/audio-tag/top-level/no-redirect/allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: same-host-https\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: audio-tag\n expectation: allowed FAIL assert_equals: The triggered event should match 'allowed'. expected "allowed" but got "blocked"
/mixed-content/allowed/http-csp/same-host-https/fetch-request/top-level/keep-scheme-redirect/allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: same-host-https\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: fetch-request\n expectation: allowed PASS
/mixed-content/allowed/http-csp/same-host-https/fetch-request/top-level/no-redirect/allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: same-host-https\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: fetch-request\n expectation: allowed PASS
/mixed-content/allowed/http-csp/same-host-https/form-tag/top-level/keep-scheme-redirect/allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: same-host-https\n source_scheme: https\n context_nesting: top-level\n redirection: keep-scheme-redirect\n subresource: form-tag\n expectation: allowed PASS
/mixed-content/allowed/http-csp/same-host-https/form-tag/top-level/no-redirect/allowed.https.html
Subtest Results Messages
OK
opt_in_method: http-csp\n origin: same-host-https\n source_scheme: https\n context_nesting: top-level\n redirection: no-redirect\n subresource: form-tag\n expectation: allowed PASS
/mixed-content/allowed/http-csp/same-host-https/iframe-tag/top-level/keep-scheme-redirect/allowed.https.html
Subtest Results Messages

|

@w3c-bots
Copy link

View the complete job log.

Chrome (unstable channel)

Testing web-platform-tests at revision bc19d30
Using browser at version 59.0.3053.3 dev
Starting 10 test iterations

@poiru
Copy link
Author

poiru commented Apr 13, 2017

@Ms2ger Could you help me find someone to review this?

@Ms2ger
Copy link
Contributor

Ms2ger commented Apr 14, 2017

@kristijanburnik and @mikewest seem good targets, and if not they should probably be able to find someone.

@@ -23,6 +23,7 @@ function MixedContentTestCase(scenario, description, sanityChecker) {

var sameOriginHost = location.hostname;
var crossOriginHost = "{{domains[www1]}}";
var localhostIPv4Host = "127.0.0.1";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is going to work in general. @jgraham will have thoughts, I'm sure, but I don't think we can make the assumption that 127.0.0.1 is actually running a server. It won't be running a server on w3c-test.org, for instance.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jgraham ping ^

moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request May 10, 2017
…erschb,kmckinley

According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:
- w3c/webappsec-mixed-content@349501c
- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and
later. See:
- https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

It is unclear if HTTPS origins should be able to use workers and WebSocket
connections through a loopback HTTP address. They are not supported in Chrome
(whether this is intentional or not is uncertain) so lets just ignore them for
now.

See also: web-platform-tests/wpt#5304
aethanyc pushed a commit to aethanyc/gecko-dev that referenced this pull request May 12, 2017
…erschb,kmckinley

According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:
- w3c/webappsec-mixed-content@349501c
- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and
later. See:
- https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

It is unclear if HTTPS origins should be able to use workers and WebSocket
connections through a loopback HTTP address. They are not supported in Chrome
(whether this is intentional or not is uncertain) so lets just ignore them for
now.

See also: web-platform-tests/wpt#5304
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this pull request Oct 1, 2019
…erschb,kmckinley

According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:
- w3c/webappsec-mixed-content@349501c
- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and
later. See:
- https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

It is unclear if HTTPS origins should be able to use workers and WebSocket
connections through a loopback HTTP address. They are not supported in Chrome
(whether this is intentional or not is uncertain) so lets just ignore them for
now.

See also: web-platform-tests/wpt#5304

UltraBlame original commit: 74f065888725aaeeb6c518cb6c563944f099c054
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this pull request Oct 1, 2019
…erschb,kmckinley

According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:
- w3c/webappsec-mixed-content@349501c
- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and
later. See:
- https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

It is unclear if HTTPS origins should be able to use workers and WebSocket
connections through a loopback HTTP address. They are not supported in Chrome
(whether this is intentional or not is uncertain) so lets just ignore them for
now.

See also: web-platform-tests/wpt#5304

UltraBlame original commit: 74f065888725aaeeb6c518cb6c563944f099c054
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this pull request Oct 1, 2019
…erschb,kmckinley

According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:
- w3c/webappsec-mixed-content@349501c
- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and
later. See:
- https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

It is unclear if HTTPS origins should be able to use workers and WebSocket
connections through a loopback HTTP address. They are not supported in Chrome
(whether this is intentional or not is uncertain) so lets just ignore them for
now.

See also: web-platform-tests/wpt#5304

UltraBlame original commit: 74f065888725aaeeb6c518cb6c563944f099c054
@poiru poiru closed this Jul 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants