281149 2024-10-09 10:06:31 -0700 WebKit is inconsistent about whether localhost is a secure origin or not 2026-04-20 13:41:10 -0700 1 1 1 Unclassified WebKit Page Loading WebKit Nightly Build Unspecified Unspecified REOPENED https://bugs.webkit.org/show_bug.cgi?id=171934 https://bugs.webkit.org/show_bug.cgi?id=218980 https://bugs.webkit.org/show_bug.cgi?id=232088 InRadar P2 Normal --- 1 gsnedders webkit-unassigned adomas.ven annevk ap beidson jonkoops me m_finkel rik webkit-bug-importer wilander oldest_to_newest 2066570 0 gsnedders 2024-10-09 10:06:31 -0700 We have a number of open bugs about localhost and whether or not it is secure: bug 171934 (Don't treat loopback addresses (127.0.0.0/8, ::1/128, localhost, .localhost) as mixed content), bug 218980 (Treat loopback addresses (127.0.0.0/8, ::1/128, localhost, .localhost) as potentially trustworthy URL), and bug 232088 (Unable to set secure+httpOnly cookie for localhost in Safari from Node JS). As it stands, window.isSecureOrigin is true, but you can't set secure cookies, and nor load mixed secure content. For example: https://github.com/WebKit/WebKit/blob/b50ab39c922f4afcc0b894736c29846f1f50d065/Source/WebCore/page/SecurityOrigin.cpp#L89-L105 makes localhost "potentially trustworthy" https://github.com/WebKit/WebKit/blob/f5955e181acaa5aacc1c6c573a92697d661d6926/Source/WebCore/loader/MixedContentChecker.cpp#L51-L60 makes localhost insecure (unless loaded over HTTPS) https://github.com/WebKit/WebKit/blob/f5955e181acaa5aacc1c6c573a92697d661d6926/Source/WebCore/loader/CookieJar.cpp#L62-L65 makes Secure cookies only work with HTTPS. Regardless of whether we want localhost to be secure or not (which I think is to some extent blocked on bug 250607?), we should at least be consistent as to whether or not it is secure. 2066571 1 webkit-bug-importer 2024-10-09 10:06:44 -0700 <rdar://problem/137604100> 2193562 2 x_bhatnagar 2026-03-25 10:53:20 -0700 Pull request: https://github.com/WebKit/WebKit/pull/61338 2196735 3 ews-feeder 2026-04-03 16:16:51 -0700 Committed 310542@main (aa297f89b9a6): <https://commits.webkit.org/310542@main> Reviewed commits have been landed. Closing PR #61338 and removing active labels. 2202376 4 gsnedders 2026-04-20 13:41:10 -0700 <rdar://175191283> https://commits.webkit.org/310542@main looks like it addressed bug 232088, as the summary line is "Add support for Secure cookies for loopback hostnames". But: that doesn't actually solve the inconsistency, as with bug 171934 and bug 218980 still unresolved we still have places where we do treat it as insecure.