On Thu, Sep 29, 2016 at 12:56 AM, Mike West <mkwst@google.com> wrote:
> On Wed, Sep 28, 2016 at 7:58 PM, Emily Stark (Dunn) <estark@google.com>
> wrote:
>
>> We twittered about this briefly, but I wanted to check: is the proposal
>> that 'let localhost be localhost' goes through and then Secure Contexts
>> changes to say that browsers should hardcode the resolution of local
>> hostnames to loopback IPs?
>>
>
> My goal with the ID is to give Chrome cover to reject resolutions of
> `*.localhost` that don't map to loopback IP addresses. We'd either fail the
> resolution, or fallback to 127.0.0.1, or something similar. I don't have
> strong opinions about the exact behavior, but the impact would be that we
> could continue treating `localhost` as a secure context. I think that's in
> line with developer expectations, and I would appreciate other browsers
> following along.
>
> To that end, Secure Contexts would revert https://github.com/w3c/
> webappsec-secure-contexts/commit/77175e335f96e52431888dfacf382c47e9637aeb,
> and add a requirement for conformant user agents to ensure that localhost
> resolution follows the ID.
>
> Does that make sense?
>
Yep! Thanks for the clarification.
>
> -mike
>