On 17 Oct 2016, at 12:19, Erik Nygren wrote:
In the hopes of allowing devices to some day drop their IPv4 stacks,
one
thing we will need to keep an eye out for is any behavior that
encourages
hard-coding 127.0.0.1 or ::1 rather than using a "localhost"
abstraction.
In the W3C WebAppSec Secure Context discussion, there has been concern
that
"localhost" shouldn't be a "secure context" (unlike 127.0.0.1 and ::1)
due
to resolvers not always returning localhost. I worry that this could
result in increased use of "127.0.0.1" (such as by web pages
containing
URLs instructing clients to talk to a localhost resource service).
Mike West has written up a "let localhost be localhost" draft to cover
this:
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-02
I'm sure feedback is quite welcome (and I wonder if sunset4 might be
one
reasonable place to pick up this work?).
interesting issue. It certainly relates to name resolution not behaving
the way it should.
But yes, sunset4 make sense to pick up this work.
would one of you two be in Seoul? If yes, we could carve up 5-10 minutes
in the agenda for that topic.
Marc.
Some background:
https://github.com/w3c/webappsec-secure-contexts/issues/43
- Erik
_______________________________________________
sunset4 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sunset4
_______________________________________________
sunset4 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sunset4
