Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: allow accessing http://127.0.0.1 from https page #506

Closed
wants to merge 1 commit into from

Conversation

cyjake
Copy link

@cyjake cyjake commented Jun 8, 2020

... since 127.0.0.1 is potentially trustworthy and honored by most browsers (chromium & firefox)

fixes #486

... since 127.0.0.1 is [potentially trustworthy](https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy) and honored by most browsers (chromium & firefox)
@brycekahle
Copy link
Contributor

Can you describe the use case where you need to access 127.0.0.1 from an https page?

@cyjake
Copy link
Author

cyjake commented Jun 9, 2020

@brycekahle when developing webapps locally, the app might need to be accessed with a custom domain (such as daily.example.com) to access cookies at example.com to make third party sso work.

In our webapp specifically, we use webpack-dev-server in development mode to take advantage of live reload and hmr etc. The dev server is spun up on a different port. There are two ways to accomplish the problem I described above:

a) make the dev server run in https/http2 mode as well
b) just use 127.0.0.1

The first approach isn't working well since Chrome doesn't allow ip address with self issued certificates nowadays. And even if it does, developers still need to add certificate exceptions twice (one of the host domain, one for the assets domain).

The second approach (127.0.0.1) has no such issues since browsers regard it as potentially trustworthy according to the spec.

@brycekahle
Copy link
Contributor

Fixed in a57c910

@brycekahle brycekahle closed this Aug 2, 2020
@cyjake cyjake deleted the fix-secure-host-check branch August 3, 2020 05:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Is it possible to allow 127.0.0.1 when accessed under secure domain?
2 participants