W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Re: [secure-contexts] `*.localhost` + DNS

From: Harssh Mahajan <harssh@gmail.com>
Date: Tue, 3 May 2016 20:46:18 +0530
Message-ID: <CAJN0qJGLo7mJY_agkA72cqduN1aYwi==z2013Fr=LSDCdu06zw@mail.gmail.com>
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Mike West <mkwst@google.com>, Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>

I would suggest to implement a workaround - configure application to allow
http connections on localhost. In C# Request.Url.IsLoopback will return
true for localhost.

Specifying in DNS will introduce Same site scripting bug.
Source: https://www.acunetix.com/vulnerabilities/web/same-site-scripting


On Tue, May 3, 2016 at 6:14 PM, Richard Barnes <rbarnes@mozilla.com> wrote:

> On Tue, May 3, 2016 at 8:08 AM, Mike West <mkwst@google.com> wrote:
>> On Tue, May 3, 2016 at 1:43 PM, Craig Francis <craig.francis@gmail.com>
>> wrote:
>>> As a developer that works on multiple websites, I have a wildcard DNS
>>> entry that points `projectABC.laptop.example.com
>>> <http://projectabc.laptop.example.com>` to (as an aside it
>>> resolves to for the browsers in a VM).
>>> I would like this setup, where the DNS does resolve to, to be
>>> considered a secure origin, so I can easily develop websites without having
>>> to setup HTTPS on my local machine (I suspect I will need to anyway, but
>>> though I'd mention it).
>> Understood. This is something we've resisted offering in the past due
>> both to conceptual complexity, as well as nondeterministic behavior. It
>> would be difficult for you to understand why, for instance, `
>> project.laptop.example.com` was secure when it pointed to ``,
>> but not when it pointed to ``, because that resolution is
>> completely opaque to you, the user.
>> A better solution, I think, is for browser vendors to provide an override
>> mechanism for origins you specifically care about: Chrome
>> has `--unsafely-treat-insecure-origin-as-secure="
>> http://project.laptop.example.com"`, and I assume Safari, Opera,
>> Firefox, and Edge could be prevailed upon to provide similar controls as
>> suggested in
>> https://www.w3.org/TR/secure-contexts/#development-environments.
> Yes, we probably could, if people really want it.
> It's getting pretty trivial to set up HTTPS locally, though.
> https://www.youtube.com/watch?v=nk4EWHvvZtI
> --Richard
Received on Tuesday, 3 May 2016 15:51:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC