W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

`localhost` as Secure Context, take 2 (was Re: CfC: Transition "Secure Contexts" to CR; deadline August 2nd.)

From: Mike West <mkwst@google.com>
Date: Wed, 28 Sep 2016 14:24:00 +0200
Message-ID: <CAKXHy=e=pPg_1Wyfcfyx-j-F8xN3pH8Xox9aggkfomf5ppE5Jg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>, Jake Archibald <jakearchibald@google.com>, Erik Nygren <erik+w3@nygren.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, "www-tag@w3.org List" <www-tag@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
On Tue, Aug 2, 2016 at 8:51 PM, Mike West <mkwst@google.com> wrote:

> * In https://github.com/w3c/webappsec-secure-contexts/issues/43, Erik
> suggested that the move to exclude `localhost` was the wrong way to solve
> the problem, and that we should instead treat it as "secure" if it resolves
> to a loopback address. Recorded in the spec as https://w3c.github.io/
> webappsec-secure-contexts/#issue-8ea95bab. Without some change in the way
> that agent's DNS resolvers handle these names, I'm reluctant to change the
> spec, but perhaps pushing for that change is a reasonable thing to do.

Following up on this now that we've hit CR: I've written up the change to
DNS resolvers suggested in the GitHub discussion at

The general response has been positive, but opinions from folks on this
list would be appreciated. If we can get something like this proposal
adopted in user agents, I'd be comfortable calling `localhost` as secure as
``. WDYT?

Received on Wednesday, 28 September 2016 12:24:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC