从 HTTPS 网页访问的 Localhost HTTP。为什么没有 "Mixed Content" 错误？

Localhost HTTP accessed from HTTPS webpage. Why no "Mixed Content" error?

我发出 HTTP 请求：

来自 HTTPS JSFiddle：fetch('http://localhost:8090').then(...)
到 HTTP 本地主机或 127.0.0.1

而且有效。

Chrome (v89.0.4389.90) 和 Firefox (v86.0.1) 中没有“混合内容”错误。只有 Safari 会阻止请求。但是，对 192.168.1.x 的请求会触发“混合内容”错误。

localhost 是否在 Chrome 和 Firefox 中明确列入白名单？或者它是否也被浏览器供应商安排在某个时候被“混合内容”阻止？

例如，可以依靠它来控制绑定到本地主机的本地应用程序，该本地主机提供 HTTP API？

来自MDN

Browsers may allow locally-delivered mixed resources to be loaded. This includes file: URLs and content accessed from loopback addresses (e.g. http://127.0.0.1/).

Firefox 55 and later allow loading of mixed content on the loopback address http://127.0.0.1/ (see bug 903966),

Firefox 84 and later allow loading of mixed content on http://localhost/ and http://*.localhost/ URLs, as these are now mapped to loopback addresses (see bug 1220810).

Chrome also allows mixed content on http://127.0.0.1/ and http://localhost/.

Safari does not allow any mixed content.

127.0.0.1 和 localhost 都被认为是潜在可信 因此浏览器可以决定结果。

https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-origin

Safari 的行为看起来像一个错误，将来可能会改变。在此处查看讨论 Don't treat loopback addresses as mixed content

从 HTTPS 网页访问的 Localhost HTTP。为什么没有 "Mixed Content" 错误？

Localhost HTTP accessed from HTTPS webpage. Why no "Mixed Content" error?

javascript

https

google-chrome

http

mixed-content