Open lidel opened 4 years ago
This appears to also affect Firefox's new HTTPS-only mode (dom.security.https_only_mode;true
), I was hoping that Firefox 76 might also have fixed the aforementioned Consider hardcoding localhost names to the loopback address, but that doesn't seem to be the case.
Any plans on fixing this? It's still causing issues. (or a workaround)
I think this may be fixed or at least Firefox's own HTTPS-only mode I mentioned in my last comment doesn't seem to cause issues with IPFS browsing anymore. Firefox's Bug 1220810 (let-localhost-be-localhost) has also been closed 4 months ago.
Links I tested include http://ipfs.io.ipns.localhost:8080/ ("IPFS powers the Distributed Web" and http://http.badssl.com/ ("HTTPS-only mode warning: Protected connection is not available" (translated from Finnish)).
There is an Encrypt All Sites Eligible (EASE) opt-in mode in HTTPS Everywhere which protects users against downgrade from
https://
tohttp://
even when HSTS header is not present.Problem
This is a minor inconvenience for DNSLink redirects to
*.localhost
subdomains introduced in #853, as those get blocked if the feature is enabled:Solution
*.localhost
as Secure Context (Bug 1220810), but that depends on how HTTPS Everywhere determines "unsafe" redirect (won't help if they just look at URL.protocol scheme, and not if URL.origin is Secure Context)*.localhost
as browser vendors hardcode it to point at loopback IP and mark it as Secure Context