The vast majority of the internet-consuming public should never come into contact with a "localhost" domain and that's how it should be. Most web developers probably already assume that's the case, but it's not quite. If an IETF standard newly proposed by Google engineer Mike West is accepted, however, the sanctity of localhost will finally be formalized as the one internet domain name that will never, ever be found on the actual internet.First, a bit of background. Domain names, such as motherboard.vice.com, are really just aliases for IP addresses, which are just numbers. When we punch a domain name into our browser, it's fired out to a Domain Name System (DNS) server, which translates it into the corresponding number. The thing we actually want—website content, email server, etc—is then fetched from that address.Localhost should always resolve to a single very special IP address: 127.0.0.1. This isn't a real IP address in the sense that it marks some resource out on yonder internet. It's a "loopback" address. A request sent to 127.0.0.1 doesn't really go anywhere—it's a self-reference. If I punch that number into my browser, my browser will try to request content being served from the same computer that made the request. And unless I happen to have a server running, said address will only return an error.The ability to loopback is pretty key when it comes to web development. It means that I can quickly deploy and make changes to a website or app without having to be constantly reuploading it to a remote server. That also means I don't have to worry about the insecurity of an unfinished app sitting out there on the publicly accessible internet. In such situations, the 127.0.0.1 address is almost always referenced as localhost.As West explains, current IETF standards actually do leave room for localhost to "escape" and reference other IP addresses, including regular old addresses that don't loop back. This is because a client (the computer sending the network request) is able to send localhost to DNS servers, which "are empowered to return unexpectedly non-loopback results."This is largely a security issue. Developers naturally treat the localhost domain as a "secure context" that is supposedly, by definition, not accessible to malicious outsiders. The proposed new standards "harden" the old standards in a couple of key ways:
Advertisement
1. Application software and name resolution APIs and libraries are prohibited from using searchlists when resolving localhost names.
It's always interesting to see how these standards are developed. It's really just a bunch of smart people figuring out things as they go and as the internet changes. They aren't infallible, however magical the internet may seem at times.2. Name resolution APIs and libraries are required to resolve localhost names to loopback addresses, without sending the query on to caching DNS servers.