Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be)

← Back to Stories (view on slashdot.org)

Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be)

Posted by msmash on Monday September 18, 2017 @08:00AM from the their-road,-their-rules dept.

Developer Mattias Geniar writes (condensed and edited for clarity): One of the next versions of Chrome is going to force all domains ending with .dev and .foo to be redirected to HTTPs via a preloaded HTTP Strict Transport Security (HSTS) header. This very interesting commit just landed in Chromium:
Preload HSTS for the .dev gTLD:

This adds the following line to Chromium's preload lists:
{ "name": "dev", "include_subdomains": true, "mode": "force-https" },
{ "name": "foo", "include_subdomains": true, "mode": "force-https" },
It forces any domain on the .dev gTLD to be HTTPs.

What should we [developers] do? With .dev being an official gTLD, we're most likely better of changing our preferred local development suffix from .dev to something else. There's an excellent proposal to add the .localhost domain as a new standard, which would be more appropriate here. It would mean we no longer have site.dev, but site.localhost. And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds.

6 of 220 comments (clear)

Min score:

Reason:

Sort:

Maybe...? by cayenne8 · 2017-09-18 08:04 · Score: 4, Insightful

Maybe use browser other than Chrome??

--
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Switch to .test by Anonymous Coward · 2017-09-18 08:11 · Score: 5, Insightful

.test is an IETF standard for this purpose. .dev never was. Google own .dev, and they own Chrome, so they are perfectly welcome to do this. We could argue as to whether a browser that enforces per-domain protocols is truly adhering to browser standards (and the larger ramifications if every browser coder started doing the same), but accept that you have zero right to use .dev as your personal fiefdom and move on to something that will remain easier for you to maintain.
1. Re:Switch to .test by Anonymous Coward · 2017-09-18 08:14 · Score: 2, Insightful
  
  dev != test != prod
2. Re:Switch to .test by grub · 2017-09-18 08:46 · Score: 3, Insightful
  
  NEEDS MOAR AGILE!!!11````
  
  --
  Trolling is a art,
What should you do? by viperidaenz · 2017-09-18 08:49 · Score: 4, Insightful

How about: Don't use a gTLD for your local DNS?
Also, why are you doing web development without HTTPS unless you're planning on never using it? It's not like certificates cost anything. There's also nothing stopping you loading your own CA cert and signing your own certificates too.
Browsers behave differently based on the protocol. Building against one set of rules and deploying against another is just asking for problems.
Re:Yeah by scdeimos · 2017-09-18 10:00 · Score: 3, Insightful

You should be using .test domains - that's recommended practice by W3C https://tools.ietf.org/id/draf....
The .dev domains, on the other hand, are valid gTLD and are owned by Google. It's not surprising that Google wants to force HTTPS on a gTLD that they own.