Bug 173161 - Webkit rejects requests to localhost from https:// pages
Summary: Webkit rejects requests to localhost from https:// pages
Status: RESOLVED DUPLICATE of bug 171934
Alias: None
Product: WebKit
Classification: Unclassified
Component: Evangelism (show other bugs)
Version: Safari Technology Preview
Hardware: All All
: P2 Normal
Assignee: Jon Davis
Keywords: InRadar
Depends on:
Reported: 2017-06-09 08:31 PDT by homakov
Modified: 2017-06-09 14:13 PDT (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description homakov 2017-06-09 08:31:43 PDT
Due to Mixed Content warnings on https pages both mobile and desktop Safari reject access to and ws:// which are localhost and technically not vulnerable to potential MitM attacks - there's no need to block these requests.

Here is a use case why our project badly needs this access: our app works as an authenticator like U2F that signs specific challenges given by the browser, so the user can log in some website.

When we simply open an app:// from the browser the app does not know who exactly opened it. We found a neat way to transfer unspoofable location.origin to the app: by making a request to localhost server which the app runs. 

Our app has a WebSocket server at localhost:3101 and accepts requests from the browser, then checks Origin header to get trusted origin. It works like a breeze on all other desktop browsers and in Android. Firefox already fixed it in 55: https://bugzilla.mozilla.org/show_bug.cgi?id=1370861

It would be great if Safari could stop the blocking or at worst case allow a preflight request to let websites securely call our app websocket. It's really the only way for secure site<->app communication we could find.
Comment 1 Radar WebKit Bug Importer 2017-06-09 08:31:57 PDT
Comment 2 homakov 2017-06-09 08:32:17 PDT
Comment 3 Alexey Proskuryakov 2017-06-09 14:13:16 PDT
As discussed in the original, I do not think that this is a valid use case for a web browser, and should be prevented even more strictly.

*** This bug has been marked as a duplicate of bug 171934 ***