Re: [secure-contexts] `*.localhost` + DNS from Craig Francis on 2016-05-03 (public-webappsec@w3.org from May 2016)

From: Craig Francis <craig.francis@gmail.com>
Date: Tue, 3 May 2016 14:25:41 +0100
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <22B8E3CE-E179-455A-A28A-74D415B5A43C@gmail.com>

On 3 May 2016, at 13:44, Richard Barnes <rbarnes@mozilla.com> wrote:
> 
> On Tue, May 3, 2016 at 8:08 AM, Mike West <mkwst@google.com <mailto:mkwst@google.com>> wrote:
> 
> On Tue, May 3, 2016 at 1:43 PM, Craig Francis <craig.francis@gmail.com <mailto:craig.francis@gmail.com>> wrote:
> 
> I would like this setup, where the DNS does resolve to 127.0.0.1, to be considered a secure origin, so I can easily develop websites without having to setup HTTPS on my local machine (I suspect I will need to anyway, but though I'd mention it).
> 
> Understood. This is something we've resisted offering in the past due both to conceptual complexity, as well as nondeterministic behavior. It would be difficult for you to understand why, for instance, `project.laptop.example.com <http://project.laptop.example.com/>` was secure when it pointed to `127.0.0.1`, but not when it pointed to `192.168.0.5`, because that resolution is completely opaque to you, the user.
> 
> A better solution, I think, is for browser vendors to provide an override mechanism for origins you specifically care about: Chrome has `--unsafely-treat-insecure-origin-as-secure="http://project.laptop.example.com <http://project.laptop.example.com/>"`, and I assume Safari, Opera, Firefox, and Edge could be prevailed upon to provide similar controls as suggested in https://www.w3.org/TR/secure-contexts/#development-environments <https://www.w3.org/TR/secure-contexts/#development-environments>.
> 
> Yes, we probably could, if people really want it.
> 
> It's getting pretty trivial to set up HTTPS locally, though.

I think HTTPS setup for dev is getting better, but it's still tricky (a self signed wildcard is probably easier for me, as LetsEncrypt is really a single website thing at the moment, and would require the dev machine to be available on the internet, and to redo every 90 days).

As to `--unsafely-treat-insecure-origin-as-secure`, that kind of works, but as the name suggests, I don't really want to use it (I'm also not in a position to test atm, but I don't think it works with a wildcard).

And just for reference, my wildcard setup works by using Apache RewriteRule's to set the DocumentRoot, so a new dev website can be created by simply creating a folder (of which I currently have 48 on my main computer).

Received on Tuesday, 3 May 2016 13:26:05 UTC