- From: Adrian Hope-Bailie <adrian@hopebailie.com>
- Date: Wed, 4 May 2016 17:59:06 +0200
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CA+eFz_JQ=cGC6=F68VwcZSBCP1PQbQpz9Y9eJ+Qx5UJxGUyWCg@mail.gmail.com>
> This violates expectations for users:
What users and on what basis?
If the "users" are developers then are you suggesting they don't understand
that there is a difference between localhost and 127.0.0.1?
We always need to balance good security approaches with pandering to the
stupidity of users and I think that line can be drawn in a different place
when the users are explicitly Web developers.
Put simply: localhost and 127.0.0.1 are not the same thing and shouldn't be
treated the same. Users that think they are always the same are very
unlikely to be in the target audience here.
On 4 May 2016 at 17:14, Martin Thomson <martin.thomson@gmail.com> wrote:
> On 3 May 2016 at 20:22, Mike West <mkwst@google.com> wrote:
> > Given this, it's not clear to me that we can ("should"?) treat
> `*.localhost`
> > as a secure context. I think it might be a good idea to drop step 3 of
> > https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy
> accordingly.
>
> This violates expectations for users:
>
> http://127.0.0.1/ -- OK
> http://[::1]/ -- OK
> http://localhost/ -- not OK
>
> I think that Richard is on the right approach here. It's not that
> hard to stand up a self-signed cert for loopback and then go through
> certificate exception dialogs as a one-off. That deals with the
> developer case.
>
> The case of talking to local applications that offer web servers
> locally is actually the same problem as talking to your router. We
> don't have a great story for that, but the certificate exception is
> the answer there (for the moment).
>
>
Received on Wednesday, 4 May 2016 15:59:35 UTC