On 17 Oct 2016, at 12:19, Erik Nygren wrote:

In the hopes of allowing devices to some day drop their IPv4 stacks, one thing we will need to keep an eye out for is any behavior that encourages hard-coding 127.0.0.1 or ::1 rather than using a "localhost" abstraction. In the W3C WebAppSec Secure Context discussion, there has been concern that "localhost" shouldn't be a "secure context" (unlike 127.0.0.1 and ::1) due
to resolvers not always returning localhost.  I worry that this could
result in increased use of "127.0.0.1" (such as by web pages containing
URLs instructing clients to talk to a localhost resource service).

Mike West has written up a "let localhost be localhost" draft to cover this:

     https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-02

I'm sure feedback is quite welcome (and I wonder if sunset4 might be one
reasonable place to pick up this work?).

interesting issue. It certainly relates to name resolution not behaving the way it should.

But yes, sunset4 make sense to pick up this work.

would one of you two be in Seoul? If yes, we could carve up 5-10 minutes in the agenda for that topic.

Marc.


Some background:
https://github.com/w3c/webappsec-secure-contexts/issues/43

- Erik


_______________________________________________
sunset4 mailing list
sunset4@ietf.org
https://www.ietf.org/mailman/listinfo/sunset4

_______________________________________________
sunset4 mailing list
sunset4@ietf.org
https://www.ietf.org/mailman/listinfo/sunset4

Reply via email to