W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Re: [secure-contexts] `*.localhost` + DNS

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 5 May 2016 01:14:14 +1000
Message-ID: <CABkgnnUQQQ=y3NEjAX3kc7bFbpNV2eq1NQo-t1=udcrpNbgxwg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3 May 2016 at 20:22, Mike West <mkwst@google.com> wrote:
> Given this, it's not clear to me that we can ("should"?) treat `*.localhost`
> as a secure context. I think it might be a good idea to drop step 3 of
> https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy accordingly.

This violates expectations for users:

http://127.0.0.1/ -- OK
http://[::1]/ -- OK
http://localhost/ -- not OK

I think that Richard is on the right approach here.  It's not that
hard to stand up a self-signed cert for loopback and then go through
certificate exception dialogs as a one-off.  That deals with the
developer case.

The case of talking to local applications that offer web servers
locally is actually the same problem as talking to your router.  We
don't have a great story for that, but the certificate exception is
the answer there (for the moment).
Received on Wednesday, 4 May 2016 15:20:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC