REOPENED281149
WebKit is inconsistent about whether localhost is a secure origin or not 
https://bugs.webkit.org/show_bug.cgi?id=281149
Summary WebKit is inconsistent about whether localhost is a secure origin or not
Sam Sneddon [:gsnedders]
Reported 2024-10-09 10:06:31 PDT
We have a number of open bugs about localhost and whether or not it is secure: bug 171934 (Don't treat loopback addresses (127.0.0.0/8, ::1/128, localhost, .localhost) as mixed content), bug 218980 (Treat loopback addresses (127.0.0.0/8, ::1/128, localhost, .localhost) as potentially trustworthy URL), and bug 232088 (Unable to set secure+httpOnly cookie for localhost in Safari from Node JS). As it stands, window.isSecureOrigin is true, but you can't set secure cookies, and nor load mixed secure content. For example: https://github.com/WebKit/WebKit/blob/b50ab39c922f4afcc0b894736c29846f1f50d065/Source/WebCore/page/SecurityOrigin.cpp#L89-L105 makes localhost "potentially trustworthy" https://github.com/WebKit/WebKit/blob/f5955e181acaa5aacc1c6c573a92697d661d6926/Source/WebCore/loader/MixedContentChecker.cpp#L51-L60 makes localhost insecure (unless loaded over HTTPS) https://github.com/WebKit/WebKit/blob/f5955e181acaa5aacc1c6c573a92697d661d6926/Source/WebCore/loader/CookieJar.cpp#L62-L65 makes Secure cookies only work with HTTPS. Regardless of whether we want localhost to be secure or not (which I think is to some extent blocked on bug 250607?), we should at least be consistent as to whether or not it is secure.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-10-09 10:06:44 PDT
<rdar://problem/137604100>
Xyan
Comment 2 2026-03-25 10:53:20 PDT
Pull request: https://github.com/WebKit/WebKit/pull/61338
EWS
Comment 3 2026-04-03 16:16:51 PDT
Committed 310542@main (aa297f89b9a6): <https://commits.webkit.org/310542@main> Reviewed commits have been landed. Closing PR #61338 and removing active labels.
Sam Sneddon [:gsnedders]
Comment 4 2026-04-20 13:41:10 PDT
<rdar://175191283> https://commits.webkit.org/310542@main looks like it addressed bug 232088, as the summary line is "Add support for Secure cookies for loopback hostnames". But: that doesn't actually solve the inconsistency, as with bug 171934 and bug 218980 still unresolved we still have places where we do treat it as insecure.
Note You need to log in before you can comment on or make changes to this bug.