[epiphany/revert-5fb1950d] Revert "Trust localhost ip address as EPHY_SECURITY_LEVEL_LOCAL_PAGE"

From: Jan-Michael Brummer <jbrummer src gnome org>
To: commits-list gnome org
Cc:
Subject: [epiphany/revert-5fb1950d] Revert "Trust localhost ip address as EPHY_SECURITY_LEVEL_LOCAL_PAGE"
Date: Wed, 26 Dec 2018 22:58:52 +0000 (UTC)

commit 729da979965c06eb40fcd8719f2a73955a79dd52
Author: Jan-Michael Brummer <jan brummer tabos org>
Date:   Wed Dec 26 22:58:32 2018 +0000

    Revert "Trust localhost ip address as EPHY_SECURITY_LEVEL_LOCAL_PAGE"
    
    This reverts commit 5fb1950d1b318555eb0c7c2be16a25eb49f22e87

 embed/ephy-web-view.c                    | 3 ---
 embed/web-extension/resources/js/ephy.js | 4 +---
 2 files changed, 1 insertion(+), 6 deletions(-)
---
diff --git a/embed/ephy-web-view.c b/embed/ephy-web-view.c
index c70d067fe..0058d82ac 100644
--- a/embed/ephy-web-view.c
+++ b/embed/ephy-web-view.c
@@ -1853,9 +1853,6 @@ update_security_status_for_committed_load (EphyWebView *view,
 
   if (!soup_uri ||
       strcmp (soup_uri_get_scheme (soup_uri), EPHY_VIEW_SOURCE_SCHEME) == 0 ||
-      // Warning: we do not whitelist localhost because it could be redirected by DNS.
-      strcmp (soup_uri_get_host (soup_uri), "127.0.0.1") == 0 ||
-      strcmp (soup_uri_get_host (soup_uri), "::1") == 0 ||
       webkit_security_manager_uri_scheme_is_local (security_manager, soup_uri->scheme) ||
       webkit_security_manager_uri_scheme_is_empty_document (security_manager, soup_uri->scheme)) {
     security_level = EPHY_SECURITY_LEVEL_LOCAL_PAGE;
diff --git a/embed/web-extension/resources/js/ephy.js b/embed/web-extension/resources/js/ephy.js
index addd9b179..fc453584b 100644
--- a/embed/web-extension/resources/js/ephy.js
+++ b/embed/web-extension/resources/js/ephy.js
@@ -583,9 +583,7 @@ Ephy.FormManager = class FormManager
 
     _sensitiveElementFocused(event)
     {
-        let url = new URL(this._form.action);
-        // Warning: we do not whitelist localhost because it could be redirected by DNS.
-        let isInsecureAction = url.protocol == 'http:' && url.hostname != "127.0.0.1" && url.hostname != 
"::1";
+        let isInsecureAction = this._form.action.startsWith('http://');
         
window.webkit.messageHandlers.sensitiveFormFocused.postMessage(this._sensitiveElementMessageSerializer(this._pageID,
 isInsecureAction));
     }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]