Owen5d ago

Do you want to put a web page on a .local address to do something cool for your household or club? Here's the list of browser features that browser vendors have decided you're just not fuckin' allowed to use. https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts/features_restricted_to_secure_contexts

Some random site halfway around the world, served over https with a robo-verified certificate, is allowed, though, so take some comfort in that.

Features restricted to secure contexts - Security | MDN

This reference lists the web platform features available only in secure contexts — see Secure Contexts for a definition and more details.

MDN Web Docs
Show threadOwen5d ago

There's a discussion thread about allowing RFC 1918 addresses and their ip6 equivalents to participate in secure contexts at https://github.com/w3c/webappsec-secure-contexts/issues/60 . It is _eight years_ old without resolution.

I can't find any discussion at all on allowing the user to designate certain origins as secure contexts. Maybe that's a thing for some browsers.

Using secure-context gated features with local devices · Issue #60 · w3c/webappsec-secure-contexts

As proposed here which is continuing on from w3ctag/design-principles#75: It should be possible for people to create devices that are located on home networks that use modern browser features. One ...

GitHub
Show threadOwen5d ago
The recommendation in that thread is to run a private CA for your LAN. Anyone who has experience doing that outside of a managed (i.e., corporate) network will tell you how hilariously useless that advice is.
Show threadRyan Castellucci (they/them) 5d ago
@owen I use acme-dns authorized subdomain certificates on my lab, this is nearly as unreasonable as running a CA for my home network. And I have run one on a corporate network.
Show threadCassandrich5d ago
@ryanc @owen With DNS-PERSIST-01 it'll be easy to get real certs for your LAN-only devices.
Show threadJima 3d ago
@dalias @ryanc @owen With the right tooling, even DNS-01 isn't the worst.
Show threadCassandrich3d ago
@jima @ryanc @owen I just consider DNS-01 a giant weakness/violation of access controls. Automated processes should never have access to modify DNS, especially when that often (for non experts) means credentials to registrar.
Show threadHaelwenn /элвэн/ 3d ago
@dalias @jima @ryanc @owen Well the challenge allows to delegate to another zone/nameserver (what I do here), but it's probably not the most typical setup.
Show threadJima 3d ago
@lanodan @dalias @ryanc @owen It's always so nice to meet other DNS weirdos. 🥰
Show threadPaul Martin2d ago
@[email protected] @[email protected] @[email protected] @[email protected] @[email protected] Is the collective noun of DNS weirdos a delegation or a resolution?
Show threadJima 
@nowster @lanodan @dalias @ryanc @owen My vote is for "delegation." Good question!
May 11 at 8:17pmWeb
Show threadRyan Castellucci (they/them) 2d ago
@jima @nowster @lanodan @dalias @owen definitely delegation