Currently, host name "localhost.localdomain" resolves to the loopback addresses ::1 and 127.0.0.1, bypassing native DNS, and the corresponding origin is treated as secured. The goal of this entry is to remove this non-standard behavior.

Motivation

Standards describe an optional resolution of the "localhost" host name and trustworthiness of corresponding origin [1] [2]. Users have complained about inconsistency between Chromium (which implements the spec), Firefox (which only implemented it recently) and WebKit (where patches are being submitted). Hopefully things can be make consistent and the specification a bit stricter. However, Chromium also has similar but non-standard behavior for "localhost.localdomain". Removing this would help to make things more predictable for users.

Specification

Editor's draft

Status in Chromium

Blink


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Owner

Comments

Analysis performed on BigQuery's response_bodies.2020_10_01_desktop, based on about 218315452 urls of HTTPArchive. Pages containing a quoted string with localhost.localdomain were extracted (more precisely, those matching the regexp r"[\"\'`][^\"\'`]*(?:localhost.localdomain)[^\"\'`]*[\"\'`]") and 8334 urls were found (for a total of 8746 matched strings). - 6533 of them contains a match of the form globalStorage["localhost.localdomain"] (corresponding to an API from Firefox < 13) the remaining cases represent less than 0.000009% of the original set. For the remaining cases: - 895 contain a match corresponding to an array of localhost names like "localhost","localhost.localdomain". - 675 contain a match corresponding to a fallback expression like ||"localhost.localdomain". - The remaining cases represent ~0.000001% of the original set.

Last updated on 2021-07-25