W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Re: [secure-contexts] `*.localhost` + DNS

From: Craig Francis <craig.francis@gmail.com>
Date: Tue, 3 May 2016 12:43:02 +0100
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <5BCB0A54-F903-482D-A98B-8C2FD65C72EA@gmail.com>
To: Mike West <mkwst@google.com>
While we are talking about this (please ignore if it's too much of a tangent)...

As a developer that works on multiple websites, I have a wildcard DNS entry that points `projectABC.laptop.example.com` to 127.0.0.1 (as an aside it resolves to 192.168.0.5 for the browsers in a VM).

I would like this setup, where the DNS does resolve to 127.0.0.1, to be considered a secure origin, so I can easily develop websites without having to setup HTTPS on my local machine (I suspect I will need to anyway, but though I'd mention it).

Craig




> On 3 May 2016, at 11:22, Mike West <mkwst@google.com> wrote:
> 
> In https://bugs.chromium.org/p/chromium/issues/detail?id=607878#c9 <https://bugs.chromium.org/p/chromium/issues/detail?id=607878#c9>, Ryan and Emily have (again) reminded me that the resolution rules for `*.localhost` in https://tools.ietf.org/html/rfc6761#section-6.3 <https://tools.ietf.org/html/rfc6761#section-6.3> are all MAY or SHOULD, and folks are SHOULDing their way out to the network in various configurations.
> 
> Given this, it's not clear to me that we can ("should"?) treat `*.localhost` as a secure context. I think it might be a good idea to drop step 3 of https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy <https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy> accordingly.
> 
> WDYT?
> 
> -mike
Received on Tuesday, 3 May 2016 11:43:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC