Re: [secure-contexts] `*.localhost` + DNS from Martin Thomson on 2016-05-04 (public-webappsec@w3.org from May 2016)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 5 May 2016 01:14:14 +1000
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CABkgnnUQQQ=y3NEjAX3kc7bFbpNV2eq1NQo-t1=udcrpNbgxwg@mail.gmail.com>

On 3 May 2016 at 20:22, Mike West <mkwst@google.com> wrote:
> Given this, it's not clear to me that we can ("should"?) treat `*.localhost`
> as a secure context. I think it might be a good idea to drop step 3 of
> https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy accordingly.

This violates expectations for users:

http://127.0.0.1/ -- OK
http://[::1]/ -- OK
http://localhost/ -- not OK

I think that Richard is on the right approach here.  It's not that
hard to stand up a self-signed cert for loopback and then go through
certificate exception dialogs as a one-off.  That deals with the
developer case.

The case of talking to local applications that offer web servers
locally is actually the same problem as talking to your router.  We
don't have a great story for that, but the certificate exception is
the answer there (for the moment).

Received on Wednesday, 4 May 2016 15:20:34 UTC