Mixed Content iframes on localhost

[mozfreddyb]

It has come to our attention that none of the 3 manor browser engines block insecure iframes on websites hosted on localhost. While this was reported as a private security bug, we have decided to talk about this in public because all browsers behave the same. Firstly, because the impact is relatively low and secondly to foster better conversations. (We are working on making the above report public).

The test case is as simple as putting http://example.com in an <iframe> on a page hosted at localhost.

As per the [spec section §4.3 "Does settings prohibig mixed security contexts?"], mixed-content should kick in is based off of whether an origin is potentially trustworthy, which http://localhost definitely is.

We have prototyped a patch in Gecko but do not want to make a unilateral change without cross-browser alignment.

I can see these options:

• Admit that all browsers behave the same and write it into the standard.
• Agree on this being fixed across multiple browsers and collaborate.
• Fix this but provide some sort of opt-out e.g. in DevTools.

CC @estark37, @annevk, @dveditz

(Edit: Credit belongs to Khiem Tran)

[annevk]

For a while at least we thought we had the invariant that when a document was a secure context, all documents nested inside of it were a secure context too.

I believe that invariant got broken at some point, but I cannot find any evidence right now. In particular I thought data: URLs might break it, but they don't.

This would break it however. If this is truly the only exception, that would be rather unfortunate.

[mikewest]

I agree with @annevk from a theoretical perspective.

Practically, my guess (in the complete absence of data) is that we'll find that a larger-than-desirable percentage of pages loaded from loopback would violate this constraint. I can add a metric to Blink to see how wrong that guess is, but I'd like to make a decision here with that number in hand rather than in the abstract.

[mikewest]

(I'll try to get https://chromium-review.googlesource.com/c/chromium/src/+/6179417 landed in the somewhat near future)

[nicolo-ribaudo]

This is not just about localhost, but in general about "local" documents. All browser allow http iframes in file:// documents and (at least WebKit's Web View, I don't know how to test other browsers) in custom local schemes that they consider trustworthy per step 7 of https://www.w3.org/TR/secure-contexts/#potentially-trustworthy-origin.

(btw, if you need an easy HTTP page with the proper headers to allow cross-origin loading you can use http://httpbin.org/html)

[nicolo-ribaudo]

The use counters that @mikewest added to Chrome show:

• 0.07% of page loads use mixed content on localhost
• 0.001% of page loads used mixed content iframes embedded in localhost