Re: [secure-contexts] `*.localhost` + DNS

On Wed, May 4, 2016 at 11:52 PM, Richard Barnes <rbarnes@mozilla.com> wrote:

> On Wed, May 4, 2016 at 5:52 PM, Chris Palmer <palmer@google.com> wrote:
>
>> On Wed, May 4, 2016 at 12:03 PM, Emily Stark (Dunn) <estark@google.com>
>> wrote:
>>
>> Why differentiate *.localhost from localhost when RFC 6761 doesn't treat
>>> them differently? (I imagine that the argument is that most resolvers treat
>>> localhost as special even if not *.localhost, but that seems like shaky
>>> grounds on which to call something secure-enough.)
>>>
>>
>> You are right, those are shaky grounds.
>>
>> I'm increasingly inclined to remove localhost (but not 127/8 or ::1) from
>> the set of secure contexts, and to resolve the developer-pain problem with
>> a command line flag or other run-time, expert-user option.
>>
>
> I am also trending in that direction.
>

I've made this change to the spec in
https://github.com/w3c/webappsec-secure-contexts/commit/77175e335f96e52431888dfacf382c47e9637aeb
.

-mike

Received on Friday, 6 May 2016 08:54:59 UTC