Re: `localhost` as Secure Context, take 2 (was Re: CfC: Transition "Secure Contexts" to CR; deadline August 2nd.)

On 28 September 2016 at 14:24, Mike West <mkwst@google.com> wrote:

> On Tue, Aug 2, 2016 at 8:51 PM, Mike West <mkwst@google.com> wrote:
>
>> * In https://github.com/w3c/webappsec-secure-contexts/issues/43, Erik
>> suggested that the move to exclude `localhost` was the wrong way to solve
>> the problem, and that we should instead treat it as "secure" if it resolves
>> to a loopback address. Recorded in the spec as
>> https://w3c.github.io/webappsec-secure-contexts/#issue-8ea95bab. Without
>> some change in the way that agent's DNS resolvers handle these names, I'm
>> reluctant to change the spec, but perhaps pushing for that change is a
>> reasonable thing to do.
>>
>
> Following up on this now that we've hit CR: I've written up the change to
> DNS resolvers suggested in the GitHub discussion at
> https://tools.ietf.org/html/draft-west-let-localhost-be-localhost.
>
> The general response has been positive, but opinions from folks on this
> list would be appreciated. If we can get something like this proposal
> adopted in user agents, I'd be comfortable calling `localhost` as secure as
> `127.0.0.1`. WDYT?
>

I currently use my browser to connect to localhost (via http and https).  A
couple of questions:

1. Is this spec something that affects user agents today, or something in
future.  Id love to hear a short description of how.

2. Is there an easy workaround?  For example could I alias my localhost to
be called another domain name via /etc/hosts or using a CNAME that tunnels
through my firewall (which I think would work for me at home but not when
im traveling).  Or is there a flag to switch it off in the user agents
settings.


>
> -mike
>

Received on Wednesday, 28 September 2016 23:20:58 UTC