Re: `localhost` as Secure Context, take 2 (was Re: CfC: Transition "Secure Contexts" to CR; deadline August 2nd.)

On 28 September 2016 at 14:24, Mike West <> wrote:

> On Tue, Aug 2, 2016 at 8:51 PM, Mike West <> wrote:
>> * In, Erik
>> suggested that the move to exclude `localhost` was the wrong way to solve
>> the problem, and that we should instead treat it as "secure" if it resolves
>> to a loopback address. Recorded in the spec as
>> Without
>> some change in the way that agent's DNS resolvers handle these names, I'm
>> reluctant to change the spec, but perhaps pushing for that change is a
>> reasonable thing to do.
> Following up on this now that we've hit CR: I've written up the change to
> DNS resolvers suggested in the GitHub discussion at
> The general response has been positive, but opinions from folks on this
> list would be appreciated. If we can get something like this proposal
> adopted in user agents, I'd be comfortable calling `localhost` as secure as
> ``. WDYT?

I currently use my browser to connect to localhost (via http and https).  A
couple of questions:

1. Is this spec something that affects user agents today, or something in
future.  Id love to hear a short description of how.

2. Is there an easy workaround?  For example could I alias my localhost to
be called another domain name via /etc/hosts or using a CNAME that tunnels
through my firewall (which I think would work for me at home but not when
im traveling).  Or is there a flag to switch it off in the user agents

> -mike

Received on Wednesday, 28 September 2016 23:20:58 UTC