Re: [secure-contexts] `*.localhost` + DNS from Mike West on 2016-05-06 (public-webappsec@w3.org from May 2016)

From: Mike West <mkwst@google.com>
Date: Fri, 6 May 2016 10:54:10 +0200
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Chris Palmer <palmer@google.com>, "Emily Stark (Dunn)" <estark@google.com>, Daniel Veditz <dveditz@mozilla.com>, Adrian Hope-Bailie <adrian@hopebailie.com>, Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=f+g4aTS37zoqm-YsKbansq5m62MO_Xtd5MRw802XRT3w@mail.gmail.com>

On Wed, May 4, 2016 at 11:52 PM, Richard Barnes <rbarnes@mozilla.com> wrote:

> On Wed, May 4, 2016 at 5:52 PM, Chris Palmer <palmer@google.com> wrote:
>
>> On Wed, May 4, 2016 at 12:03 PM, Emily Stark (Dunn) <estark@google.com>
>> wrote:
>>
>> Why differentiate *.localhost from localhost when RFC 6761 doesn't treat
>>> them differently? (I imagine that the argument is that most resolvers treat
>>> localhost as special even if not *.localhost, but that seems like shaky
>>> grounds on which to call something secure-enough.)
>>>
>>
>> You are right, those are shaky grounds.
>>
>> I'm increasingly inclined to remove localhost (but not 127/8 or ::1) from
>> the set of secure contexts, and to resolve the developer-pain problem with
>> a command line flag or other run-time, expert-user option.
>>
>
> I am also trending in that direction.
>

I've made this change to the spec in
https://github.com/w3c/webappsec-secure-contexts/commit/77175e335f96e52431888dfacf382c47e9637aeb
.

-mike

Received on Friday, 6 May 2016 08:54:59 UTC