[epiphany/mcatanzaro/localhost] Treat localhost as a secure origin

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [epiphany/mcatanzaro/localhost] Treat localhost as a secure origin
Date: Thu, 10 Oct 2019 15:25:11 +0000 (UTC)

commit 76ec7378f6caa1ef4c7a853e5cceab5c795bb2be
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Thu Oct 10 10:23:59 2019 -0500

    Treat localhost as a secure origin
    
    Since glib!616 we know localhost now always resolves to the local
    computer, so we can suppress any transport security warnings like we
    already do for 127.0.0.1 and ::1.

 embed/ephy-web-view.c                            | 2 +-
 embed/web-process-extension/resources/js/ephy.js | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)
---
diff --git a/embed/ephy-web-view.c b/embed/ephy-web-view.c
index aeedd254c..215276ee2 100644
--- a/embed/ephy-web-view.c
+++ b/embed/ephy-web-view.c
@@ -1891,9 +1891,9 @@ update_security_status_for_committed_load (EphyWebView *view,
 
   if (!soup_uri ||
       strcmp (soup_uri_get_scheme (soup_uri), EPHY_VIEW_SOURCE_SCHEME) == 0 ||
-      /* Warning: we do not whitelist localhost because it could be redirected by DNS. */
       g_strcmp0 (soup_uri_get_host (soup_uri), "127.0.0.1") == 0 ||
       g_strcmp0 (soup_uri_get_host (soup_uri), "::1") == 0 ||
+      g_strcmp0 (soup_uri_get_host (soup_uri), "localhost") == 0 ||
       webkit_security_manager_uri_scheme_is_local (security_manager, soup_uri->scheme) ||
       webkit_security_manager_uri_scheme_is_empty_document (security_manager, soup_uri->scheme)) {
     security_level = EPHY_SECURITY_LEVEL_LOCAL_PAGE;
diff --git a/embed/web-process-extension/resources/js/ephy.js 
b/embed/web-process-extension/resources/js/ephy.js
index 379035e5b..e5f6dbe67 100644
--- a/embed/web-process-extension/resources/js/ephy.js
+++ b/embed/web-process-extension/resources/js/ephy.js
@@ -565,8 +565,7 @@ Ephy.FormManager = class FormManager
         let isInsecureAction = false;
         if (this._form.action) {
             let url = new URL(this._form.action);
-            // Warning: we do not whitelist localhost because it could be redirected by DNS.
-            isInsecureAction = url.protocol == 'http:' && url.hostname != "127.0.0.1" && url.hostname != 
"::1";
+            isInsecureAction = url.protocol == 'http:' && url.hostname != "127.0.0.1" && url.hostname != 
"::1" && url.hostname != "localhost";
         }
         
window.webkit.messageHandlers.passwordFormFocused.postMessage(this._passwordFormMessageSerializer(this._frameID,
 isInsecureAction));
     }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]