In the hopes of allowing devices to some day drop their IPv4 stacks, one
thing we will need to keep an eye out for is any behavior that encourages
hard-coding 127.0.0.1 or ::1 rather than using a "localhost" abstraction.
In the W3C WebAppSec Secure Context discussion, there has been concern that
"localhost" shouldn't be a "secure context" (unlike 127.0.0.1 and ::1) due
to resolvers not always returning localhost. I worry that this could
result in increased use of "127.0.0.1" (such as by web pages containing
URLs instructing clients to talk to a localhost resource service).
Mike West has written up a "let localhost be localhost" draft to cover this:
I'm sure feedback is quite welcome (and I wonder if sunset4 might be one
reasonable place to pick up this work?).
sunset4 mailing list