On Wed, Aug 2, 2017 at 4:27 PM, Ted Lemon <mel...@fugue.com> wrote: > On Aug 2, 2017, at 2:02 PM, Robert Edmonds <edmo...@mycre.ws> wrote: > > draft-west-let-localhost-be-localhost-03 upgrades the requirements in > RFC 6761 ยง6.3 to make them much stricter, for all applications, > converting SHOULDs to MUSTs, etc. So we're not arguing about whether > localhost "should" be treated specially, but whether it MUST be treated > specially, by all applications. Can the W3C not impose stricter > requirements on browser developers even if 6761 doesn't impose mandatory > treatment for "localhost"? > > > It should be MUST in both cases. But writing that in an RFC doesn't make > it so. Bear in mind when you look at the W3C document that it is talking > about what would be ideal, not what is actually present in browsers. > > As an app developer worried about security footprint, I would be wiser to > be cautious and use ::1 or 127.0.0.1, rather than using localhost and > relying on the name resolution infrastructure. But the use case that I > would be most skeptical about is using localhost in a URL. I think that > should be MUST NOT. Apparently there is not wholehearted agreement on > this topic, however... :) >
You have this backwards. Browser today do take the more cautious, IP-based approach. It sucks for developers. They want to be able to use "localhost", but in order to do it safely, they will need to hard-wire it internally (since as you say, writing an RFC doesn't make resolvers change). And they don't want to hard-wire unless that's the clear semantic because standards are what make the web work. --Richard
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
