On Wed, May 4, 2016 at 9:46 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On Wed, May 4, 2016 at 9:25 AM, Mike West <mkwst@google.com> wrote:
>
>>
>> I don't think this is a good argument for the position; we should support
>> users when it makes sense to do so, even if it's annoying work for us as
>> browser vendors.
>>
>
> It's a terrible argument for what the spec should say, agreed. Does
> influence how our team prioritizes implementing specs (this seems like a
> small gain for a lot of work).
>
>
>
>> Similarly, we don't know that `*.localhost` is resolving to the loopback
>> address. In the absence of certainty, it makes sense to default to
>> something conservative (we _know_ that `127.0.0.0/8` <http://127.0.0.0/8>
>> won't talk to the internet), and allow developers to make informed
>> decisions about the risks that they're capable of making.
>>
>
> I haven't talked to our team but I'm confident we wouldn't blindly
> whitelist *.localhost as "secure" if we can't get the IP information to be
> sure. We might consider treating "http://localhost/" as "secure-enough",
> even knowing that the occasional eccentric maps that somewhere else.
>
Why differentiate *.localhost from localhost when RFC 6761 doesn't treat
them differently? (I imagine that the argument is that most resolvers treat
localhost as special even if not *.localhost, but that seems like shaky
grounds on which to call something secure-enough.)
>
> -Dan Veditz
>