Contact emails
Spec
https://w3c.github.io/webappsec-secure-contexts/#localhost
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost
The TAG reviewed the underlying Secure Context spec before we shipped it; this carveout was covered.
Summary
Chrome will ensure that `localhost` resolves to a loopback address, thereby ensuring that we can safely treat `http://localhost/` and `http://*.localhost/` as secure contexts, just like `https://example.com/` and `http://127.0.0.1/`.
Motivation
Developers generally expect `http://localhost` to resolve to a loopback address, and are generally surprised to learn that it sometimes doesn't. They're even more surprised to learn that we treat `127.0.0.1` and `localhost` differently for the purposes of secure context calculation.Interoperability and Compatibility Risk
Edge: No signals
Firefox currently considers `localhost` secure, but doesn't seem to ensure that it maps to a loopback address (http://searchfox.org/mozilla-central/source/dom/security/nsContentSecurityManager.cpp#706). They've expressed public support for doing so in the DNSOP thread at https://www.ietf.org/mail-archive/web/dnsop/current/threads.html#20661.
Safari currently considers `localhost` secure, but does not actually ensure that it maps to a loopback address (https://github.com/WebKit/webkit/blob/097bb2a0dd6bdf977f08f24a0a35d2e9789e10db/Source/WebCore/page/SecurityOrigin.cpp#L592).
Web developers: Positive
Ongoing technical constraints
None.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests?
No. Upstreaming tests for this feature to WPT will be difficult, as it relies explicitly on `localhost` _not_ hitting an external server, like `web-platform.test`, whereas WPT needs to run on a variety of clients, including those which don't themselves host servers.
OWP launch tracking bug
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/6269417340010496
Requesting approval to ship?
Yes.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Dfp04%3D1ARP5ZkwQM9uOD18B1%2BjBvm8J1LddNbjc0qJUHw%40mail.gmail.com.
Just to clarify, Chrome already treats http://localhost as a secure context, so this change is just the DNS resolution and not a change to what hostnames we consider potentially trustworthy, right?
Chrome *does* consider http://localhost to be mixed content, though, so maybe we can change that as part of this I2I&S? It would be great to be in a more consistent state.
On Monday 2017-08-21 18:06 -0700, Mike West wrote:
> You're correct on both counts: Safari and Firefox only treat the
> `localhost` host as secure. I intend to treat `localhost.` and everything
> falling within `.localhost.` as secure (after ensuring that they resolve to
> loopback). That's also what's documented in the relevant specs. I'll make
> sure to file bugs against WebKit and Firefox.
There are some existing relevant Firefox bugs:
Consider hardcoding localhost names to the loopback address
https://bugzilla.mozilla.org/show_bug.cgi?id=1220810 (WONTFIX)
Stop treating 'localhost' as securely delivered for the purposes of Secure Contexts
https://bugzilla.mozilla.org/show_bug.cgi?id=1346835
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAKXHy%3DfAuHaPZWgH04GmHsRwmmQfPeSBMUah17bAQLgzEkcCog%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DcP0BWP_qOkbVoGT%2BrtWPJmhdx7S6sdzoub%2BuPX032hJA%40mail.gmail.com.--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.