Re: `localhost` as Secure Context, take 2 (was Re: CfC: Transition "Secure Contexts" to CR; deadline August 2nd.)

On Wed, Sep 28, 2016 at 7:58 PM, Emily Stark (Dunn) <>

> We twittered about this briefly, but I wanted to check: is the proposal
> that 'let localhost be localhost' goes through and then Secure Contexts
> changes to say that browsers should hardcode the resolution of local
> hostnames to loopback IPs?

My goal with the ID is to give Chrome cover to reject resolutions of
`*.localhost` that don't map to loopback IP addresses. We'd either fail the
resolution, or fallback to, or something similar. I don't have
strong opinions about the exact behavior, but the impact would be that we
could continue treating `localhost` as a secure context. I think that's in
line with developer expectations, and I would appreciate other browsers
following along.

To that end, Secure Contexts would revert,
and add a requirement for conformant user agents to ensure that localhost
resolution follows the ID.

Does that make sense?


Received on Thursday, 29 September 2016 07:57:30 UTC