Bug 279249

Summary: REGRESSION (iOS 18): Loading is blocked when trying to load localhost content from HTTPS website
Product: WebKit Reporter: Kento Kataoka <kento.kataoka>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: achristensen, annevk, ap, beidson, cdumez, mcatanzaro, m_finkel, webkit-bug-importer, wilander, youennf
Priority: P2 Keywords: InRadar
Version: Safari 18   
Hardware: Mac (Apple Silicon)   
OS: macOS 15   
See Also: https://bugs.webkit.org/show_bug.cgi?id=247197

Kento Kataoka
Reported 2024-09-06 01:00:56 PDT
In Safari 18 beta, it blocks loading when trying to load localhost content from HTTPS websites. The JavaScript console in Safari shows the following. > [blocked] The page at https://example.com/example requested insecure content from http://127.0.0.1:8080/dummy.png?state=XXXXXXXX. This content was blocked and must be served over HTTPS. In Safari 17.5, it displays as follow and we can load it. > The page at https://example.com/example was allowed to display insecure content from http://127.0.0.1:8080/dummy.png?state=XXXXXXXX.
Attachments
Alexey Proskuryakov
Comment 1 2024-09-07 12:01:51 PDT
Probably related to 274409@main.
Radar WebKit Bug Importer
Comment 2 2024-09-07 12:02:02 PDT
Michael Catanzaro
Comment 3 2024-09-07 15:31:19 PDT
Yes, this is very likely caused by 274409@main since mixed content is now blocked if it cannot be upgraded. The mixed content spec says localhost is a secure context and therefore definitionally it's not mixed content, but WebKit does not follow the spec; see bug #171934 for discussion around that. Consequentially, it's guaranteed/expected that such applications are broken now. I'm tempted to mark this bug as a duplicate of bug #171934. There's just not really anything else to do here other than implement the change suggested in that issue. (The only other alternative would be to outright revert 274409@main, but let's not please.)
Alexey Proskuryakov
Comment 4 2024-09-07 15:47:51 PDT
Let's keep this bug to look for more targeted solutions, not dupe to the feature which is a bit of a can of worms.
Michael Catanzaro
Comment 5 2024-09-07 15:52:34 PDT
I don't think any targeted solution is possible? The options I see are: * Back down in bug #171934, match the spec * Revert 274409@main (please no :) * Just accept that http:// localhost isn't going to work anymore
Alexey Proskuryakov
Comment 6 2024-09-07 16:06:29 PDT
I can think of several, however it would be helpful to get more details about the actual customer facing issue at hand. Reporter, would it be possible for you to tell us more about the issue? E.g. is it specifically about <img>, or more? Is this a publicly available website that you can share, or a corporate intranet website? How severe is the problem?
Kento Kataoka
Comment 7 2024-09-10 23:18:14 PDT
This problem is occurring on our service's website. Here is a description of how the website functions and works. We are classified as an IdP. We provide the following “Device Authentication Service”. : 1. User company administrator configures the application provided by us for each device 2. User company administrator hands over the device to User company staff 3. User company staff tries to log in to a third party service (browser or third party app). : 1. We are an IdP, and the third party service redirects to our website. 2. On the login screen of our website, we must confirm that the device is one that User company administrator has authorized staff to log in. 3. The application provided by us starts serving a local HTTP server. 4. The login screen attempt to access the local HTTP server provided in the previous step by using <img> tag. The success of this request is exactly the proof that the user company administrator authorize user to login. - Note: This step is currently broken by this issue. This issue is critical because our service is publicly offered. Also, we have confirmed that this issue only occurs on macOS 15 and not on iOS 18. This issue may be related to this issue: bug 272461
Note You need to log in before you can comment on or make changes to this bug.