On Wed, May 4, 2016 at 9:25 AM, Mike West <mkwst@google.com> wrote:
>
> I don't think this is a good argument for the position; we should support
> users when it makes sense to do so, even if it's annoying work for us as
> browser vendors.
>
It's a terrible argument for what the spec should say, agreed. Does
influence how our team prioritizes implementing specs (this seems like a
small gain for a lot of work).
> Similarly, we don't know that `*.localhost` is resolving to the loopback
> address. In the absence of certainty, it makes sense to default to
> something conservative (we _know_ that `127.0.0.0/8` <http://127.0.0.0/8>
> won't talk to the internet), and allow developers to make informed
> decisions about the risks that they're capable of making.
>
I haven't talked to our team but I'm confident we wouldn't blindly
whitelist *.localhost as "secure" if we can't get the IP information to be
sure. We might consider treating "http://localhost/" as "secure-enough",
even knowing that the occasional eccentric maps that somewhere else.
-Dan Veditz