Re: `localhost` as Secure Context, take 2 (was Re: CfC: Transition "Secure Contexts" to CR; deadline August 2nd.)

We twittered about this briefly, but I wanted to check: is the proposal
that 'let localhost be localhost' goes through and then Secure Contexts
changes to say that browsers should hardcode the resolution of local
hostnames to loopback IPs?

On Wed, Sep 28, 2016 at 5:24 AM, Mike West <mkwst@google.com> wrote:

> On Tue, Aug 2, 2016 at 8:51 PM, Mike West <mkwst@google.com> wrote:
>
>> * In https://github.com/w3c/webappsec-secure-contexts/issues/43, Erik
>> suggested that the move to exclude `localhost` was the wrong way to solve
>> the problem, and that we should instead treat it as "secure" if it resolves
>> to a loopback address. Recorded in the spec as
>> https://w3c.github.io/webappsec-secure-contexts/#issue-8ea95bab. Without
>> some change in the way that agent's DNS resolvers handle these names, I'm
>> reluctant to change the spec, but perhaps pushing for that change is a
>> reasonable thing to do.
>>
>
> Following up on this now that we've hit CR: I've written up the change to
> DNS resolvers suggested in the GitHub discussion at
> https://tools.ietf.org/html/draft-west-let-localhost-be-localhost.
>
> The general response has been positive, but opinions from folks on this
> list would be appreciated. If we can get something like this proposal
> adopted in user agents, I'd be comfortable calling `localhost` as secure as
> `127.0.0.1`. WDYT?
>
> -mike
>

Received on Wednesday, 28 September 2016 17:59:38 UTC