Skip localhost when evaluating HSTS upgrades

ericlaw1979 · web-flow · commit bdb452ef7847 · 2024-11-05T09:55:40.000+01:00
Fixes #1780.
diff --git a/fetch.bs b/fetch.bs
@@ -4509,6 +4509,8 @@ steps:
    "<code>http</code>"
    <li><var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a> is a
    <a for=/>domain</a>
+   <li><var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>'s
+   <a for=host>public suffix</a> is not "<code>localhost</code>" or "<code>localhost.</code>"
    <li>Matching <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a> per
    <a href=https://www.rfc-editor.org/rfc/rfc6797.html#section-8.2>Known HSTS Host Domain Name Matching</a>
    results in either a superdomain match with an asserted <code>includeSubDomains</code> directive
