RESOLVED DUPLICATE of bug 171934 173161
Webkit rejects requests to localhost from https:// pages 
https://bugs.webkit.org/show_bug.cgi?id=173161
Summary Webkit rejects requests to localhost from https:// pages
homakov
Reported 2017-06-09 08:31:43 PDT
Due to Mixed Content warnings on https pages both mobile and desktop Safari reject access to http://127.0.0.1 and ws://127.0.0.1 which are localhost and technically not vulnerable to potential MitM attacks - there's no need to block these requests. Here is a use case why our project badly needs this access: our app works as an authenticator like U2F that signs specific challenges given by the browser, so the user can log in some website. When we simply open an app:// from the browser the app does not know who exactly opened it. We found a neat way to transfer unspoofable location.origin to the app: by making a request to localhost server which the app runs. Our app has a WebSocket server at localhost:3101 and accepts requests from the browser, then checks Origin header to get trusted origin. It works like a breeze on all other desktop browsers and in Android. Firefox already fixed it in 55: https://bugzilla.mozilla.org/show_bug.cgi?id=1370861 It would be great if Safari could stop the blocking or at worst case allow a preflight request to let websites securely call our app websocket. It's really the only way for secure site<->app communication we could find.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-06-09 08:31:57 PDT
<rdar://problem/32675155>
homakov
Comment 2 2017-06-09 08:32:17 PDT
CC
Alexey Proskuryakov
Comment 3 2017-06-09 14:13:16 PDT
As discussed in the original, I do not think that this is a valid use case for a web browser, and should be prevented even more strictly. *** This bug has been marked as a duplicate of bug 171934 ***
Note You need to log in before you can comment on or make changes to this bug.