Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
Google The Internet Technology

Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) 37

Posted by msmash from the their-road,-their-rules dept.
Developer Mattias Geniar writes (condensed and edited for clarity): One of the next versions of Chrome is going to force all domains ending with .dev and .foo to be redirected to HTTPs via a preloaded HTTP Strict Transport Security (HSTS) header. This very interesting commit just landed in Chromium:
Preload HSTS for the .dev gTLD:

This adds the following line to Chromium's preload lists:
{ "name": "dev", "include_subdomains": true, "mode": "force-https" },
{ "name": "foo", "include_subdomains": true, "mode": "force-https" },
It forces any domain on the .dev gTLD to be HTTPs.

What should we [developers] do? With .dev being an official gTLD, we're most likely better of changing our preferred local development suffix from .dev to something else. There's an excellent proposal to add the .localhost domain as a new standard, which would be more appropriate here. It would mean we no longer have site.dev, but site.localhost. And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds.

Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS More | Reply

Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS

Comments Filter:

  • Maybe...? (Score:3)

    by cayenne8 ( 626475 ) on Monday September 18, 2017 @04:04PM (#55221423) Homepage Journal
    Maybe use browser other than Chrome??

    • Re: (Score:3)

      by Z00L00K ( 682162 )

      All the strive to force users to go https has gone over the top. It's better to be nice about it.

      Many sites don't need https since there's not much to protect in the communication when people just look at memes and pictures of cats.

      Keep the https available for cases where users want to get the extra security. Assuming that users are stupid makes the users stupid.

  • Please see RFC6761 (Score:5, Informative)

    by mysidia ( 191772 ) on Monday September 18, 2017 @04:15PM (#55221501)

    .invalid and .localhost are already reserved for private usage.

  • .localhost TLD? (Score:3)

    by TheRealMindChild ( 743925 ) on Monday September 18, 2017 @04:17PM (#55221511) Homepage Journal
    And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds

    Cmon, we aren't talking some crazy complicated configuration here. DNSMasq: add "address=/localhost/127.0.0.1" to your config file. Boom. Done.

    • Re: (Score:2)

      by grub ( 11606 )
      I showed my 11 year old daughter your sig. She smiled and said "That's awesome! I'm going to get my engineers to make a combustible lemon that burns your house down!"
  • I use the .local domain on my home network. Those IP addresses are definitely not 127.0.0.1. I have no interest in changing to .localhost and/or setting up certificates for my intranet websites.

  • How about: Don't use a gTLD for your local DNS?

    Also, why are you doing web development without HTTPS unless you're planning on never using it? It's not like certificates cost anything. There's also nothing stopping you loading your own CA cert and signing your own certificates too.
    Browsers behave differently based on the protocol. Building against one set of rules and deploying against another is just asking for problems.

  • I've been using ".local" for years. I'd have no problem with ".localhost".

Slashdot Top Deals

The devil finds work for idle circuits to do.

Close