On Aug 2, 2017, at 2:02 PM, Robert Edmonds <edmo...@mycre.ws> wrote: > draft-west-let-localhost-be-localhost-03 upgrades the requirements in > RFC 6761 ยง6.3 to make them much stricter, for all applications, > converting SHOULDs to MUSTs, etc. So we're not arguing about whether > localhost "should" be treated specially, but whether it MUST be treated > specially, by all applications. Can the W3C not impose stricter > requirements on browser developers even if 6761 doesn't impose mandatory > treatment for "localhost"?
It should be MUST in both cases. But writing that in an RFC doesn't make it so. Bear in mind when you look at the W3C document that it is talking about what would be ideal, not what is actually present in browsers. As an app developer worried about security footprint, I would be wiser to be cautious and use ::1 or 127.0.0.1, rather than using localhost and relying on the name resolution infrastructure. But the use case that I would be most skeptical about is using localhost in a URL. I think that should be MUST NOT. Apparently there is not wholehearted agreement on this topic, however... :)
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
