Currently, host name "localhost.localdomain" resolves to the loopback addresses ::1 and 127.0.0.1, bypassing native DNS, and the corresponding origin is treated as secured. The goal of this entry is to remove this non-standard behavior.
Motivation
Standards describe an optional resolution of the "localhost" host name and trustworthiness of corresponding origin [1] [2]. Users have complained about inconsistency between Chromium (which implements the spec), Firefox (which only implemented it recently) and WebKit (where patches are being submitted). Hopefully things can be make consistent and the specification a bit stricter. However, Chromium also has similar but non-standard behavior for "localhost.localdomain". Removing this would help to make things more predictable for users.
Documentation
Specification
Unknown standards status - check spec link for status
Status in Chromium
In development
(tracking bug)
Consensus & Standardization
Owner
Last updated on 2022-01-21
Comments
Analysis performed on BigQuery's response_bodies.2020_10_01_desktop, based on about 218315452 urls of HTTPArchive. Pages containing a quoted string with localhost.localdomain were extracted (more precisely, those matching the regexp r"[\"\'`][^\"\'`]*(?:localhost.localdomain)[^\"\'`]*[\"\'`]") and 8334 urls were found (for a total of 8746 matched strings). - 6533 of them contains a match of the form globalStorage["localhost.localdomain"] (corresponding to an API from Firefox < 13) the remaining cases represent less than 0.000009% of the original set. For the remaining cases: - 895 contain a match corresponding to an array of localhost names like "localhost","localhost.localdomain". - 675 contain a match corresponding to a fallback expression like ||"localhost.localdomain". - The remaining cases represent ~0.000001% of the original set.