173161 2017-06-09 08:31:43 -0700 Webkit rejects requests to localhost from https:// pages 2017-06-09 14:13:16 -0700 1 1 1 Unclassified WebKit Evangelism Safari Technology Preview All All RESOLVED DUPLICATE 171934 InRadar P2 Normal --- 1 homakov jond jond webkit-bug-importer wilander oldest_to_newest 1317392 0 homakov 2017-06-09 08:31:43 -0700 Due to Mixed Content warnings on https pages both mobile and desktop Safari reject access to http://127.0.0.1 and ws://127.0.0.1 which are localhost and technically not vulnerable to potential MitM attacks - there's no need to block these requests. Here is a use case why our project badly needs this access: our app works as an authenticator like U2F that signs specific challenges given by the browser, so the user can log in some website. When we simply open an app:// from the browser the app does not know who exactly opened it. We found a neat way to transfer unspoofable location.origin to the app: by making a request to localhost server which the app runs. Our app has a WebSocket server at localhost:3101 and accepts requests from the browser, then checks Origin header to get trusted origin. It works like a breeze on all other desktop browsers and in Android. Firefox already fixed it in 55: https://bugzilla.mozilla.org/show_bug.cgi?id=1370861 It would be great if Safari could stop the blocking or at worst case allow a preflight request to let websites securely call our app websocket. It's really the only way for secure site<->app communication we could find. 1317393 1 webkit-bug-importer 2017-06-09 08:31:57 -0700 <rdar://problem/32675155> 1317394 2 homakov 2017-06-09 08:32:17 -0700 CC 1317622 3 ap 2017-06-09 14:13:16 -0700 As discussed in the original, I do not think that this is a valid use case for a web browser, and should be prevented even more strictly. *** This bug has been marked as a duplicate of bug 171934 ***