On Wed, May 4, 2016 at 9:46 AM, Daniel Veditz <dveditz@mozilla.com> wrote: > On Wed, May 4, 2016 at 9:25 AM, Mike West <mkwst@google.com> wrote: > >> >> I don't think this is a good argument for the position; we should support >> users when it makes sense to do so, even if it's annoying work for us as >> browser vendors. >> > > It's a terrible argument for what the spec should say, agreed. Does > influence how our team prioritizes implementing specs (this seems like a > small gain for a lot of work). > > > >> Similarly, we don't know that `*.localhost` is resolving to the loopback >> address. In the absence of certainty, it makes sense to default to >> something conservative (we _know_ that `127.0.0.0/8` <http://127.0.0.0/8> >> won't talk to the internet), and allow developers to make informed >> decisions about the risks that they're capable of making. >> > > I haven't talked to our team but I'm confident we wouldn't blindly > whitelist *.localhost as "secure" if we can't get the IP information to be > sure. We might consider treating "http://localhost/" as "secure-enough", > even knowing that the occasional eccentric maps that somewhere else. > Why differentiate *.localhost from localhost when RFC 6761 doesn't treat them differently? (I imagine that the argument is that most resolvers treat localhost as special even if not *.localhost, but that seems like shaky grounds on which to call something secure-enough.) > > -Dan Veditz >
Received on Wednesday, 4 May 2016 20:49:52 UTC