W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

[secure-contexts] `*.localhost` + DNS

From: Mike West <mkwst@google.com>
Date: Tue, 3 May 2016 12:22:56 +0200
Message-ID: <CAKXHy=emt8g+fqWafiCr4ECjy6=oOh6YEUh68qz3BuGastKqYA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
In https://bugs.chromium.org/p/chromium/issues/detail?id=607878#c9, Ryan
and Emily have (again) reminded me that the resolution rules for
`*.localhost` in https://tools.ietf.org/html/rfc6761#section-6.3 are all
MAY or SHOULD, and folks are SHOULDing their way out to the network in
various configurations.

Given this, it's not clear to me that we can ("should"?) treat
`*.localhost` as a secure context. I think it might be a good idea to drop
step 3 of https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy
accordingly.

WDYT?

-mike
Received on Tuesday, 3 May 2016 10:23:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC