5

I make a HTTP request:

  • from a HTTPS JSFiddle: fetch('http://localhost:8090').then(...)
  • to HTTP localhost or 127.0.0.1

And it works.

No "Mixed Content" errors in Chrome (v89.0.4389.90) and Firefox (v86.0.1). Only Safari blocks the request. However, requests to 192.168.1.x trigger "Mixed Content" errors.

Is localhost explicitly whitelisted in Chrome and Firefox? Or is it scheduled by browser vendors to be blocked with "Mixed Content" at some point, too?

Can this be relied upon, for example, to control a local app bound to localhost that serves HTTP API?

Andrey Moiseev
  • 3,914
  • 7
  • 48
  • 64

1 Answers1

5

From MDN

Browsers may allow locally-delivered mixed resources to be loaded. This includes file: URLs and content accessed from loopback addresses (e.g. http://127.0.0.1/).

  • Firefox 55 and later allow loading of mixed content on the loopback address http://127.0.0.1/ (see bug 903966),
  • Firefox 84 and later allow loading of mixed content on http://localhost/ and http://*.localhost/ URLs, as these are now mapped to loopback addresses (see bug 1220810).
  • Chrome also allows mixed content on http://127.0.0.1/ and http://localhost/.
  • Safari does not allow any mixed content.

Both 127.0.0.1 and localhost are considered to be Potentially Trustworthy hence the browser can decide on the result.

https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-origin

The behavior of Safari looks like a bug and it could change in the future. See a discussion here Don't treat loopback addresses as mixed content

lastr2d2
  • 3,604
  • 2
  • 22
  • 37
  • Is/will the localhost mixed-content be fixed in safari? I'm wondering how Postman works on Mac OS, with their local agent running on a local http server – Tobiq Sep 04 '22 at 08:37
  • Related: https://softwareengineering.stackexchange.com/questions/440819/how-can-i-reliably-connect-my-browser-application-to-a-local-daemon – Tobiq Sep 04 '22 at 08:37