It's a good proposal and if it is reformulated as an I2S, I'll approve. Erik: lmk if i can help with paperwork there.
On Sat, Oct 19, 2024, 4:54 AM Mike Taylor <miketa...@chromium.org> wrote: > Should this be an Intent to Ship? > On 10/18/24 2:39 PM, 'Eric Lawrence' via blink-dev wrote: > > CL: > https://chromium-review.googlesource.com/c/chromium/src/+/5923046?tab=comments > > Today, if a https://localhost:* response sets Strict-Transport-Security, > HTTPS upgrades will be applied to all subsequent http://localhost > requests, regardless of port. > > Localhost is inherently a secure context, and Strict-Transport-Security > response headers received on https://localhost responses can cause > problems because they are not isolated by port. This leads to compatibility > problems for end-users who use software packages that commonly spin up > localhost webservers for ephemeral reasons (e.g. communication of an auth > token from a web login to a local software package). > > This is also a source of friction for web developers who test their > applications locally for the same reason. > > I propose we resolve this problem by matching Firefox's behavior and > ignoring HSTS headers on responses returned from localhost URLs. > > As requested, I've proposed an errata for RFC6797 to add the following to > section 8.1.1: > > If the substring matching the host production from the Request-URI (of the > message to which the host responded) syntactically matches the string > "localhost" or ends with ".localhost", then the UA MAY choose not to note > this host as a Known HSTS host. > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/138764fe-efad-406e-b3b0-3a1a600bc8d9n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/138764fe-efad-406e-b3b0-3a1a600bc8d9n%40chromium.org?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1beb12df-bfcd-422d-a37c-d0d8e4bbefab%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1beb12df-bfcd-422d-a37c-d0d8e4bbefab%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA44PQgH2Ng5yzLg_Y_KigG51%2BFvpXfZ9KW5vyO-obDG93Ps8g%40mail.gmail.com.
