Re: [secure-contexts] `*.localhost` + DNS from Daniel Veditz on 2016-05-04 (public-webappsec@w3.org from May 2016)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 4 May 2016 09:16:38 -0700
To: Adrian Hope-Bailie <adrian@hopebailie.com>
Cc: Richard Barnes <rbarnes@mozilla.com>, Mike West <mkwst@google.com>, Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADYDTCBi1VfvWq5Ph0KwEWXPhJ8yJtJNj8pOvqvmZHOBgi3Z-g@mail.gmail.com>

On Tue, May 3, 2016 at 6:22 AM, Adrian Hope-Bailie <adrian@hopebailie.com>
wrote:

> Are you saying that the intent is to not consider the actual resolved IP
> address of the host but rather the host portion of the requested URL? It
> would seem less "hacky" to have a rule that simply says, if the host
> resolves to 127.0.0.1 it's secure.

It would be less hacky to the user, but at least in Gecko there's not
currently a good path for the DOM layer that is making these security
decisions to get the resolved IP address from the networking
layer
. As a practical matter it would be far easier to support a flag as Mike
suggested than to rewrite a bunch of internal APIs.

-Dan Veditz

Received on Wednesday, 4 May 2016 16:17:09 UTC