Bug 250776

Summary: Content-Security-Policy upgrade-insecure-requests should not be applied to localhost
Product: WebKit Reporter: Jaime Rivas <jaime>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: achristensen, annevk, ap, bfulgham, karlcow, mcatanzaro, m_finkel, rreno, syaifulnizam37, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 16   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 171934    
Bug Blocks:    

Jaime Rivas
Reported 2023-01-18 11:31:54 PST
Hello, I'm filing this under DOM but not sure if it is the right place. Please updated as needed :) Safari tries to upgrade to https in localhost. Content-Security-Policy upgrade-insecure-requests should not be applied to localhost. Chrome and Firefox both do NOT upgrade insecure requests to trustworthy localhost. Specific example: A webapp served over https tries to call a locally installed daemon which exposes an endpoint in localhost. Since Safari tries to upgrade the call to localhost, we cannot communicate with the daemon. Please see some links for more context: https://bugzilla.mozilla.org/show_bug.cgi?id=1447784 https://github.com/github/secure_headers/issues/348 Thank you!
Attachments
Radar WebKit Bug Importer
Comment 1 2023-01-18 13:19:46 PST
Brent Fulgham
Comment 2 2023-01-18 13:23:53 PST
We'll have to think about this in the context of Local Network Access. Part of this is related to our choice to not treat localhost as definitively trustworthy on secure sites. Once more rigorous protections are in place so users can understand when a site on the internet reaches out to local services it may make sense to relax things here. I guess the use case here is a site that sends the UIR header, but doesn't want localhost to be upgraded. I understand this is convenient for web app authors, but it doesn't especially make sense from the standpoint of the UIR header's use.
Matthew Finkel
Comment 3 2023-01-18 16:54:33 PST
Conceptually, this is a reasonable request because no one can receive a valid TLS certificate for localhost from a public CA. But, I agree with Brent that this is not a straight-forward bug. The "Upgrade Insecure Requests" specification does not explicitly give localhost an exception when deciding if the request should be upgraded. Instead, it only upgrades requests that are "a priori insecure" [0]. Chrome and Firefox handle localhost as a priori secure, but at this time WebKit handles it as insecure. There have been discussions around changing this (e.g., Bug 171934, Bug 218980), but they are currently open. [0] https://www.w3.org/TR/upgrade-insecure-requests/#should-upgrade-for-client
Karl Dubost
Comment 4 2023-01-18 17:54:41 PST
Jaime, > A webapp served over https tries to call a locally installed daemon which exposes an endpoint in localhost. Since Safari tries to upgrade the call to localhost, we cannot communicate with the daemon. Could you be more explicit about current use cases? Are there apps breaking currently on WebKit because of this difference? And what are the type of apps, business who would need this feature? This would help to figure out the scope.
Jaime Rivas
Comment 5 2023-01-19 03:47:05 PST
Thank you all for your comments and for the links to the other issues. @Karl: for sure, let me elaborate. We have a native application (let's call it "Tools") installed on the users' computers (the employees of several companies). The Tools application interacts with the local computer (it can save files, edit files, etc. It is something like Git version control). Tools acts as a daemon and exposes an API in localhost, which can be called from custom webapps from those customers (so all those different webapps from different domains can call the same Tools daemon). One solution (from the other linked issues) is to enable Private Network Access to allow secure contexts (the webapps over https) to access private networks after a CORS preflight and in that case treat localhost as a secure context and enable http communication. For now, we have had to force all Mac users to use Chrome, Edge, or Firefox :(. It is a pity that they cannot use Safari, hopefully this proposal can make it work. Thank you very much!
Karl Dubost
Comment 6 2023-01-19 20:55:28 PST
Thanks a lot. Adding Anne.
Anne van Kesteren
Comment 7 2023-01-19 23:44:42 PST
Until we have a path toward fixing bug 171934, I'm not sure it makes a lot of sense to put effort into this. We could address it now, but it would still result in localhost not being accessible.
Jaime Rivas
Comment 8 2023-09-07 10:54:32 PDT
Hi Anne, Karl, Matthew, Brent - I have been following the other issue (bug 171934) but I haven't seen any updates. Now that Sonoma has webapps that can be added to the dock and web push, it is such a pity that we cannot use Safari because we cannot reach localhost from htpps. Is there any chance that you could push it internally? I'm sure that all our Mac users will be delighted to be able to use Safari again with our webapps. Thank you very much in advance!
Note You need to log in before you can comment on or make changes to this bug.