Re: [secure-contexts] `*.localhost` + DNS from Chris Palmer on 2016-05-04 (public-webappsec@w3.org from May 2016)

From: Chris Palmer <palmer@google.com>
Date: Wed, 4 May 2016 14:52:13 -0700
To: "Emily Stark (Dunn)" <estark@google.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Adrian Hope-Bailie <adrian@hopebailie.com>, Richard Barnes <rbarnes@mozilla.com>, Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOuvq20rmYgKR6h6e+2JkpZFqWCp6O7axoCieXk24RADzS35Cg@mail.gmail.com>

On Wed, May 4, 2016 at 12:03 PM, Emily Stark (Dunn) <estark@google.com>
wrote:

Why differentiate *.localhost from localhost when RFC 6761 doesn't treat
> them differently? (I imagine that the argument is that most resolvers treat
> localhost as special even if not *.localhost, but that seems like shaky
> grounds on which to call something secure-enough.)
>

You are right, those are shaky grounds.

I'm increasingly inclined to remove localhost (but not 127/8 or ::1) from
the set of secure contexts, and to resolve the developer-pain problem with
a command line flag or other run-time, expert-user option.

Received on Wednesday, 4 May 2016 21:52:41 UTC