W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Re: [secure-contexts] `*.localhost` + DNS

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 4 May 2016 09:16:38 -0700
Message-ID: <CADYDTCBi1VfvWq5Ph0KwEWXPhJ8yJtJNj8pOvqvmZHOBgi3Z-g@mail.gmail.com>
To: Adrian Hope-Bailie <adrian@hopebailie.com>
Cc: Richard Barnes <rbarnes@mozilla.com>, Mike West <mkwst@google.com>, Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, May 3, 2016 at 6:22 AM, Adrian Hope-Bailie <adrian@hopebailie.com>
wrote:

> Are you saying that the intent is to not consider the actual resolved IP
> address of the host but rather the host portion of the requested URL? It
> would seem less "hacky" to have a rule that simply says, if the host
> resolves to 127.0.0.1 it's secure.


​It would be less hacky to the user, but at least in Gecko there's not
currently a good path for the DOM layer that is making these security
decisions to get the resolved IP address from the networking
l​ayer​
​. As a practical matter it would be far easier to support a flag as Mike
suggested than to rewrite a bunch of internal APIs.

-Dan Veditz
Received on Wednesday, 4 May 2016 16:17:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC