Re: [secure-contexts] `*.localhost` + DNS from Adrian Hope-Bailie on 2016-05-03 (public-webappsec@w3.org from May 2016)

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Tue, 3 May 2016 13:33:19 +0200
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CA+eFz_+boRPPcOb-dzVHf13eNt5bo7QGt2=wyFfpz5rR=gJWqQ@mail.gmail.com>

+1

On 3 May 2016 at 12:22, Mike West <mkwst@google.com> wrote:

> In https://bugs.chromium.org/p/chromium/issues/detail?id=607878#c9, Ryan
> and Emily have (again) reminded me that the resolution rules for
> `*.localhost` in https://tools.ietf.org/html/rfc6761#section-6.3 are all
> MAY or SHOULD, and folks are SHOULDing their way out to the network in
> various configurations.
>
> Given this, it's not clear to me that we can ("should"?) treat
> `*.localhost` as a secure context. I think it might be a good idea to drop
> step 3 of https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy
> accordingly.
>
> WDYT?
>
> -mike
>

Received on Tuesday, 3 May 2016 11:33:51 UTC