Hi, I'm going to try and land a patch for bug 1220810 today, which makes localhost addresses secure contexts. It seems there were attempts to land this change 7 months ago and again 3 months ago, but I can't find any intent email, so I'm sending this one.
Summary: Ensure that localhost addresses resolve to a loopback address, thereby ensuring that we can safely treat `http://localhost/` and `http://*.localhost/` as "Potentially Trustworthy". This addresses various bug reports from developers and aligns with specifications. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1488740 Standards: https://w3c.github.io/webappsec-secure-contexts/#localhost https://tools.ietf.org/html/draft-west-let-localhost-be-localhost Platform coverage: All Preference: This will ship enabled by default (existing network.proxy.allow_hijacking_localhost preference can be used to disable the hardcoded loopback address and resolve proxy for localhost but I think it's mostly for internal testing). DevTools bug: N/A Other browsers: Chromium: Shipped since version 83 (https://bugs.chromium.org/p/chromium/issues/detail?id=589141#c15) WebKit: Considering (https://bugs.webkit.org/show_bug.cgi?id=171934#c73) web-platform-tests: This is covered by internal Gecko tests, but I opened https://bugzilla.mozilla.org/show_bug.cgi?id=1672323 as a follow-up. -- Frédéric Wang _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
