- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 5 May 2016 01:14:14 +1000
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3 May 2016 at 20:22, Mike West <mkwst@google.com> wrote: > Given this, it's not clear to me that we can ("should"?) treat `*.localhost` > as a secure context. I think it might be a good idea to drop step 3 of > https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy accordingly. This violates expectations for users: http://127.0.0.1/ -- OK http://[::1]/ -- OK http://localhost/ -- not OK I think that Richard is on the right approach here. It's not that hard to stand up a self-signed cert for loopback and then go through certificate exception dialogs as a one-off. That deals with the developer case. The case of talking to local applications that offer web servers locally is actually the same problem as talking to your router. We don't have a great story for that, but the certificate exception is the answer there (for the moment).
Received on Wednesday, 4 May 2016 15:20:34 UTC