Skip localhost when evaluating HSTS upgrades

ericlaw1979 · pmeenan · commit b6c8a1fdfca4 · 2025-08-25T10:41:31.000-04:00
Fixes whatwg#1780.
diff --git a/fetch.bs b/fetch.bs
@@ -4517,6 +4517,8 @@ steps:
    "<code>http</code>"
    <li><var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a> is a
    <a for=/>domain</a>
+   <li><var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>'s
+   <a for=host>public suffix</a> is not "<code>localhost</code>" or "<code>localhost.</code>"
    <li>Matching <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a> per
    <a href=https://www.rfc-editor.org/rfc/rfc6797.html#section-8.2>Known HSTS Host Domain Name Matching</a>
    results in either a superdomain match with an asserted <code>includeSubDomains</code> directive
