W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Re: [secure-contexts] `*.localhost` + DNS

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Wed, 4 May 2016 09:54:04 -0700
Message-ID: <CANh-dX=G0OHdyCkGE3x3OJSiGEYhELXuyjpoQpF6C4_5P9n9Pw@mail.gmail.com>
To: Adrian Hope-Bailie <adrian@hopebailie.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 4, 2016 at 8:59 AM, Adrian Hope-Bailie
<adrian@hopebailie.com> wrote:
>> This violates expectations for users:
>
> What users and on what basis?
>
> If the "users" are developers then are you suggesting they don't understand
> that there is a difference between localhost and 127.0.0.1?
>
> We always need to balance good security approaches with pandering to the
> stupidity of users and I think that line can be drawn in a different place
> when the users are explicitly Web developers.

I don't think we need to call people "stupid" for not realizing that
localhost and 127.0.0.1 can be different. We also don't need to
satisfy every expectation when there are good reasons not to.

Jeffrey
Received on Wednesday, 4 May 2016 16:54:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC