Re: `localhost` as Secure Context, take 2 (was Re: CfC: Transition "Secure Contexts" to CR; deadline August 2nd.)

On Wed, Sep 28, 2016 at 7:58 PM, Emily Stark (Dunn) <estark@google.com>
wrote:

> We twittered about this briefly, but I wanted to check: is the proposal
> that 'let localhost be localhost' goes through and then Secure Contexts
> changes to say that browsers should hardcode the resolution of local
> hostnames to loopback IPs?
>

My goal with the ID is to give Chrome cover to reject resolutions of
`*.localhost` that don't map to loopback IP addresses. We'd either fail the
resolution, or fallback to 127.0.0.1, or something similar. I don't have
strong opinions about the exact behavior, but the impact would be that we
could continue treating `localhost` as a secure context. I think that's in
line with developer expectations, and I would appreciate other browsers
following along.

To that end, Secure Contexts would revert
https://github.com/w3c/webappsec-secure-contexts/commit/77175e335f96e52431888dfacf382c47e9637aeb,
and add a requirement for conformant user agents to ensure that localhost
resolution follows the ID.

Does that make sense?

-mike

Received on Thursday, 29 September 2016 07:57:30 UTC