`localhost` as Secure Context, take 2 (was Re: CfC: Transition "Secure Contexts" to CR; deadline August 2nd.)

On Tue, Aug 2, 2016 at 8:51 PM, Mike West <mkwst@google.com> wrote:

> * In https://github.com/w3c/webappsec-secure-contexts/issues/43, Erik
> suggested that the move to exclude `localhost` was the wrong way to solve
> the problem, and that we should instead treat it as "secure" if it resolves
> to a loopback address. Recorded in the spec as https://w3c.github.io/
> webappsec-secure-contexts/#issue-8ea95bab. Without some change in the way
> that agent's DNS resolvers handle these names, I'm reluctant to change the
> spec, but perhaps pushing for that change is a reasonable thing to do.
>

Following up on this now that we've hit CR: I've written up the change to
DNS resolvers suggested in the GitHub discussion at
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost.

The general response has been positive, but opinions from folks on this
list would be appreciated. If we can get something like this proposal
adopted in user agents, I'd be comfortable calling `localhost` as secure as
`127.0.0.1`. WDYT?

-mike

Received on Wednesday, 28 September 2016 12:24:52 UTC