In the hopes of allowing devices to some day drop their IPv4 stacks, one
thing we will need to keep an eye out for is any behavior that encourages
hard-coding or ::1 rather than using a "localhost" abstraction.
In the W3C WebAppSec Secure Context discussion, there has been concern that
"localhost" shouldn't be a "secure context" (unlike and ::1) due
to resolvers not always returning localhost.  I worry that this could
result in increased use of "" (such as by web pages containing
URLs instructing clients to talk to a localhost resource service).

Mike West has written up a "let localhost be localhost" draft to cover this:

I'm sure feedback is quite welcome (and I wonder if sunset4 might be one
reasonable place to pick up this work?).

Some background:

- Erik
sunset4 mailing list

Reply via email to