Re: [secure-contexts] `*.localhost` + DNS

On Wed, May 4, 2016 at 9:46 AM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On Wed, May 4, 2016 at 9:25 AM, Mike West <mkwst@google.com> wrote:
>
>>
>> I don't think this is a good argument for the position; we should support
>> users when it makes sense to do so, even if it's annoying work for us as
>> browser vendors.
>>
>
> ​It's a terrible argument for what the spec should say, agreed. Does
> influence how our team prioritizes implementing specs (this seems like a
> small gain for a lot of work).
> ​
>
>
>> Similarly, we don't know that `*.localhost` is resolving to the loopback
>> address. In the absence of certainty, it makes sense to default to
>> something conservative (we _know_ that `127.0.0.0/8` <http://127.0.0.0/8>
>> won't talk to the internet), and allow developers to make informed
>> decisions about the risks that they're capable of making.
>>
>
> ​I haven't talked to our team but I'm confident we wouldn't blindly
> whitelist *.localhost as "secure" if we can't get the IP information to be
> sure. We might consider treating "http://localhost/" as "secure-enough",
> even knowing that the occasional eccentric maps that somewhere else.
>

Why differentiate *.localhost from localhost when RFC 6761 doesn't treat
them differently? (I imagine that the argument is that most resolvers treat
localhost as special even if not *.localhost, but that seems like shaky
grounds on which to call something secure-enough.)


>
> -Dan Veditz
>

Received on Wednesday, 4 May 2016 20:49:52 UTC