Hacker News new | ask | show | jobs
by Sidnicious 2726 days ago
It's worth noting that UAs can treat localhost, 127.0.0.1, etc. as secure even when they're visited over plain HTTP:

https://w3c.github.io/webappsec-secure-contexts/#potentially...

Chrome (in the post's screenshots) follows this; I'm not sure about other UAs.
2 comments
sthottingal 2726 days ago
It is broken in Firefox since version 62 https://bugzilla.mozilla.org/show_bug.cgi?id=903966
link
jwatt 2726 days ago
That's an old, long closed bug. I think the bug you want is https://bugzilla.mozilla.org/show_bug.cgi?id=1488740
link
runn1ng 2726 days ago
It's not, the comment is mistaken, CORS is unrelated.

But you need to use 127.0.0.1, not `localhost`

link
helloguillecl 2726 days ago
This does not work if you want to use a hostname other than "localhost" (for running VirtualHost) pointing to your local machine.
link
devereaux 2726 days ago
Open a world of fun by running your local services like proxies on 127.1.2.3, 127.2.3.4, etc with the matching hostnames in /etc/hosts

You have 127.255.255.255 to play with!

link
Fnoord 2726 days ago
You mean 127/8
link
prodimmune 2726 days ago
There's nothing wrong with the previously used notation.
link
devereaux 2726 days ago
127/8 may only be understandable to those who already know that the whole 127.255.255.255 range is reserved for localhost use.

Sometimes being understandable is more important than using the most precise and shortest notation.

link
Fnoord 2725 days ago
127.255.255.255 is a broadcast address in the /8. It doesn't describe the amount of bits in the network. You need a netmask or CIDR notation for that. For IPv6 you need CIDR, so I suggest to learn that.

CIDR is understandable for people who know basic networking. If someone doesn't understand what 127/8 means (which is totally OK if someone doesn't) I'd argue they shouldn't learn about the topic we discuss (valid HTTPS certs for localhost); they should learn something as basic as CIDR first. CIDR isn't difficult to understand. Basics first. You can't learn to speak English if you don't know how to open and close your mouth...

link
Fnoord 2725 days ago
Yes, there is. Either you mention an IP address with a netmask such as 127.0.0.0 255.0.0.0 or you use CIDR. Mentioning a broadcast address to describe an address space is wrong because it doesn't describe how many bits (netmask and CIDR do that for IPv4).
link