Re: [secure-contexts] `*.localhost` + DNS

On Wed, May 4, 2016 at 12:03 PM, Emily Stark (Dunn) <>

Why differentiate *.localhost from localhost when RFC 6761 doesn't treat
> them differently? (I imagine that the argument is that most resolvers treat
> localhost as special even if not *.localhost, but that seems like shaky
> grounds on which to call something secure-enough.)

You are right, those are shaky grounds.

I'm increasingly inclined to remove localhost (but not 127/8 or ::1) from
the set of secure contexts, and to resolve the developer-pain problem with
a command line flag or other run-time, expert-user option.

Received on Wednesday, 4 May 2016 21:52:41 UTC