Re: [secure-contexts] `*.localhost` + DNS

On Tue, May 3, 2016 at 8:08 AM, Mike West <> wrote:

> On Tue, May 3, 2016 at 1:43 PM, Craig Francis <>
> wrote:
>> As a developer that works on multiple websites, I have a wildcard DNS
>> entry that points `
>> <>` to (as an aside it
>> resolves to for the browsers in a VM).
>> I would like this setup, where the DNS does resolve to, to be
>> considered a secure origin, so I can easily develop websites without having
>> to setup HTTPS on my local machine (I suspect I will need to anyway, but
>> though I'd mention it).
> Understood. This is something we've resisted offering in the past due both
> to conceptual complexity, as well as nondeterministic behavior. It would be
> difficult for you to understand why, for instance, `
>` was secure when it pointed to ``,
> but not when it pointed to ``, because that resolution is
> completely opaque to you, the user.
> A better solution, I think, is for browser vendors to provide an override
> mechanism for origins you specifically care about: Chrome
> has `--unsafely-treat-insecure-origin-as-secure="
>"`, and I assume Safari, Opera, Firefox,
> and Edge could be prevailed upon to provide similar controls as suggested
> in

Yes, we probably could, if people really want it.

It's getting pretty trivial to set up HTTPS locally, though.


Received on Tuesday, 3 May 2016 12:44:42 UTC