W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Re: [secure-contexts] `*.localhost` + DNS

From: Mike West <mkwst@google.com>
Date: Wed, 4 May 2016 18:25:52 +0200
Message-ID: <CAKXHy=du7dB9QeacuGVasbX3ekUoJk3P878QSowCJsOe=2Cg4g@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Adrian Hope-Bailie <adrian@hopebailie.com>, Richard Barnes <rbarnes@mozilla.com>, Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 4, 2016 at 6:16 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On Tue, May 3, 2016 at 6:22 AM, Adrian Hope-Bailie <adrian@hopebailie.com>
> wrote:
>
>> Are you saying that the intent is to not consider the actual resolved IP
>> address of the host but rather the host portion of the requested URL? It
>> would seem less "hacky" to have a rule that simply says, if the host
>> resolves to 127.0.0.1 it's secure.
>
>
> ​It would be less hacky to the user, but at least in Gecko there's not
> currently a good path for the DOM layer that is making these security
> decisions to get the resolved IP address from the networking
> l​ayer​​. As a practical matter it would be far easier to support a flag
> as Mike suggested than to rewrite a bunch of internal APIs.
>

I don't think this is a good argument for the position; we should support
users when it makes sense to do so, even if it's annoying work for us as
browser vendors.

I think a better argument is that the Secure Contexts spec is setting up a
default set of behavior which needs to be "secure" for all users,
developers or not. I think it's totally reasonable to be conservative in
those defaults, while giving developers the tools they need to develop.

We should not, for instance, whitelist everything under `*.test` as
"secure", because we have no idea whether those endpoints would end up
being "secure". We can, however, allow developers to do so locally if they
so desire.

Similarly, we don't know that `*.localhost` is resolving to the loopback
address. In the absence of certainty, it makes sense to default to
something conservative (we _know_ that `127.0.0.0/8` won't talk to the
internet), and allow developers to make informed decisions about the risks
that they're capable of making.

-mike
Received on Wednesday, 4 May 2016 16:26:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC