Re: [secure-contexts] `*.localhost` + DNS from Daniel Veditz on 2016-05-04 (public-webappsec@w3.org from May 2016)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 4 May 2016 09:46:07 -0700
To: Mike West <mkwst@google.com>
Cc: Adrian Hope-Bailie <adrian@hopebailie.com>, Richard Barnes <rbarnes@mozilla.com>, Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADYDTCApK0b1Qe+f9=p6Hj6J=sY6fwdSj-N6X96vW-XV0LPxMA@mail.gmail.com>

On Wed, May 4, 2016 at 9:25 AM, Mike West <mkwst@google.com> wrote:

>
> I don't think this is a good argument for the position; we should support
> users when it makes sense to do so, even if it's annoying work for us as
> browser vendors.
>

It's a terrible argument for what the spec should say, agreed. Does
influence how our team prioritizes implementing specs (this seems like a
small gain for a lot of work).

> Similarly, we don't know that `*.localhost` is resolving to the loopback
> address. In the absence of certainty, it makes sense to default to
> something conservative (we _know_ that `127.0.0.0/8` <http://127.0.0.0/8>
> won't talk to the internet), and allow developers to make informed
> decisions about the risks that they're capable of making.
>

I haven't talked to our team but I'm confident we wouldn't blindly
whitelist *.localhost as "secure" if we can't get the IP information to be
sure. We might consider treating "http://localhost/" as "secure-enough",
even knowing that the occasional eccentric maps that somewhere else.

-Dan Veditz

Received on Wednesday, 4 May 2016 17:48:18 UTC