Re: `localhost` as Secure Context, take 2 (was Re: CfC: Transition "Secure Contexts" to CR; deadline August 2nd.) from Mike West on 2016-09-29 (www-tag@w3.org from September 2016)

From: Mike West <mkwst@google.com>
Date: Thu, 29 Sep 2016 09:56:39 +0200
To: "Emily Stark (Dunn)" <estark@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, Jake Archibald <jakearchibald@google.com>, Erik Nygren <erik+w3@nygren.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "www-tag@w3.org List" <www-tag@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <CAKXHy=fKvSkFA70PEqAnKRApS8UFSJy_cZyYm+D0FgEEa2KJSA@mail.gmail.com>

On Wed, Sep 28, 2016 at 7:58 PM, Emily Stark (Dunn) <estark@google.com>
wrote:

> We twittered about this briefly, but I wanted to check: is the proposal
> that 'let localhost be localhost' goes through and then Secure Contexts
> changes to say that browsers should hardcode the resolution of local
> hostnames to loopback IPs?
>

My goal with the ID is to give Chrome cover to reject resolutions of
`*.localhost` that don't map to loopback IP addresses. We'd either fail the
resolution, or fallback to 127.0.0.1, or something similar. I don't have
strong opinions about the exact behavior, but the impact would be that we
could continue treating `localhost` as a secure context. I think that's in
line with developer expectations, and I would appreciate other browsers
following along.

To that end, Secure Contexts would revert
https://github.com/w3c/webappsec-secure-contexts/commit/77175e335f96e52431888dfacf382c47e9637aeb,
and add a requirement for conformant user agents to ensure that localhost
resolution follows the ID.

Does that make sense?

-mike

Received on Thursday, 29 September 2016 07:57:30 UTC