W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: Restrict loopback address to Secure Contexts?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 28 Sep 2016 10:17:41 +0200
Message-ID: <CADnb78hBVNWA4pdQ_ihDdmM3g13AiefuYrqVMLvc41B3=3Su6Q@mail.gmail.com>
To: Crispin Cowan <crispin@microsoft.com>
Cc: Mike West <mkwst@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "wilander@apple.com" <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 28, 2016 at 12:18 AM, Crispin Cowan <crispin@microsoft.com> wrote:
> On the perfect being the enemy of the good: you are quite right, I am
> describing an idealized world. I thought that’s what Standards are for, and
> we then work towards them? Conversely, it seems like it would be bad to
> standardize on “good enough for now” and then need to change it.

We standardize what ships or we estimate we can ship within a short
amount of time. It's not at all that aspirational as you make it out
to be. E.g., in some idealized world I might have wished there would
be no need to have written https://encoding.spec.whatwg.org/ but the
fact is that there's more than UTF-8 in use. Ignoring that leads to
issues for users and is also anti-competitive to some extent as it
hinders new browsers from entering the market.

> Edge can’t do an effective job of CORS Preflight right now due to
> architectural issues which we hope to address in the future. Meanwhile we
> keep Edge users safe from loopback attack with a different mitigation that
> is not worthy of floating as a standard.

Why not? If it works and is deployed today...

> What is “happy eyeballs”?


Received on Wednesday, 28 September 2016 08:18:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC