Currently, host name
"localhost.localdomain" resolve to the loopback addresses ::1
and 127.0.0.1, bypassing native DNS, and corresponding origin is
treated as secured. The goal of this entry is to remove this
non-standard behavior.
Movation
Standards describe an optional resolution
of the "localhost" host name and trustworthiness of
corresponding origin [1] [2]. Users have complained about
inconsistency between Chromium (which implements the spec),
Firefox (which only implemented it recently) and WebKit (where
patches are being submitted). Hopefully things can be make
consistent and the specification a bit stricter. However,
Chromium also has similar but non-standard behavior for
"localhost.localdomain". Removing this would help to make things
more predictable for users.
This will improve interoperability since there is no specification defining this behavior and no plans in WebKit/Firefox to implement it. There is a potential risk to break websites relying on these host names. It seems this was implemented ten years ago, motivated by existing DNS resolution in some Linux distributions. Public usage seems relatively low (see detailed analysis below). People willing to continue to treat localhost.localdomain specially for local development or specific systems can still configure native DNS. Chromium also implements a special allow list as permitted by the specification: https://source.chromium.org/chromium/chromium/src/+/master:services/network/public/cpp/is_potentially_trustworthy.h;l=43;drc=bf799475f9ff40b7e1e2be2fd3a68911c4f047ee
This is reducing the scope of "potentially trustworthy" so making security stricter.
-- Frédéric Wang
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7d70969b-2b03-534c-a6e0-615c41118183%40igalia.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b7383eab-9ac1-4792-84e5-4ea0b56ea291n%40chromium.org.