W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Re: [secure-contexts] `*.localhost` + DNS

From: Richard Barnes <rbarnes@mozilla.com>
Date: Tue, 3 May 2016 08:44:12 -0400
Message-ID: <CAOAcki-zuvE35Pr4A9neJWkuOca9=MmYuBe1s6FDr-4kOh_geQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, May 3, 2016 at 8:08 AM, Mike West <mkwst@google.com> wrote:

> On Tue, May 3, 2016 at 1:43 PM, Craig Francis <craig.francis@gmail.com>
> wrote:
>> As a developer that works on multiple websites, I have a wildcard DNS
>> entry that points `projectABC.laptop.example.com
>> <http://projectabc.laptop.example.com>` to (as an aside it
>> resolves to for the browsers in a VM).
>> I would like this setup, where the DNS does resolve to, to be
>> considered a secure origin, so I can easily develop websites without having
>> to setup HTTPS on my local machine (I suspect I will need to anyway, but
>> though I'd mention it).
> Understood. This is something we've resisted offering in the past due both
> to conceptual complexity, as well as nondeterministic behavior. It would be
> difficult for you to understand why, for instance, `
> project.laptop.example.com` was secure when it pointed to ``,
> but not when it pointed to ``, because that resolution is
> completely opaque to you, the user.
> A better solution, I think, is for browser vendors to provide an override
> mechanism for origins you specifically care about: Chrome
> has `--unsafely-treat-insecure-origin-as-secure="
> http://project.laptop.example.com"`, and I assume Safari, Opera, Firefox,
> and Edge could be prevailed upon to provide similar controls as suggested
> in https://www.w3.org/TR/secure-contexts/#development-environments.

Yes, we probably could, if people really want it.

It's getting pretty trivial to set up HTTPS locally, though.

Received on Tuesday, 3 May 2016 12:44:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC