Re: [secure-contexts] `*.localhost` + DNS from Richard Barnes on 2016-05-04 (public-webappsec@w3.org from May 2016)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Wed, 4 May 2016 17:52:52 -0400
To: Chris Palmer <palmer@google.com>
Cc: "Emily Stark (Dunn)" <estark@google.com>, Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Adrian Hope-Bailie <adrian@hopebailie.com>, Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOAcki-QX+o_U1Ut_qKmEui+Xy942jw5mexQJe6t2Ldd-DJWQw@mail.gmail.com>

On Wed, May 4, 2016 at 5:52 PM, Chris Palmer <palmer@google.com> wrote:

> On Wed, May 4, 2016 at 12:03 PM, Emily Stark (Dunn) <estark@google.com>
> wrote:
>
> Why differentiate *.localhost from localhost when RFC 6761 doesn't treat
>> them differently? (I imagine that the argument is that most resolvers treat
>> localhost as special even if not *.localhost, but that seems like shaky
>> grounds on which to call something secure-enough.)
>>
>
> You are right, those are shaky grounds.
>
> I'm increasingly inclined to remove localhost (but not 127/8 or ::1) from
> the set of secure contexts, and to resolve the developer-pain problem with
> a command line flag or other run-time, expert-user option.
>

I am also trending in that direction.

--Richard

Received on Wednesday, 4 May 2016 21:53:21 UTC