Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
localhost to be truly local?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 10 May 2021 15:52:53 +0200 (CEST)
Hi,
I've created PR #7039 that makes "localhost" resolve to 127.0.0.1 and ::1
without using the resolver [1].
The point of this is to make sure localhost is the local host for sure. With
this, we should be able to consider transfers from localhost to be using a
"secure context" as per web standards and for example allow 'secure' cookies
even for 'http://localhost' [5].
Firefox already does this [2].
Chrome has a page [3] tracking its and others work on this and it says Edge
already does this.
In Chrome's bug entry for this task [4], it sounds as if 'localhost' is
already at least partially special-cased in Chrome code.
I've tried to find conclusive documentation on exactly how Windows deals with
this. They started to resolve 'localhost' without it being present in their
hosts file several years ago, but I've not found reliable source for this. I
believe you can still put it in there and have it acknowledged.
curl's --resolve option and its libcurl counterpart still allows a user to
make localhost URL's connect to another IP address, just like for any other
name.
Your feedback and thoughts on this are most welcome!
[1] = https://github.com/curl/curl/pull/7039
[2] = https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
[3] = https://www.chromestatus.com/feature/6269417340010496#details
[4] = https://bugs.chromium.org/p/chromium/issues/detail?id=589141
[5] = https://github.com/curl/curl/issues/6733
Date: Mon, 10 May 2021 15:52:53 +0200 (CEST)
Hi,
I've created PR #7039 that makes "localhost" resolve to 127.0.0.1 and ::1
without using the resolver [1].
The point of this is to make sure localhost is the local host for sure. With
this, we should be able to consider transfers from localhost to be using a
"secure context" as per web standards and for example allow 'secure' cookies
even for 'http://localhost' [5].
Firefox already does this [2].
Chrome has a page [3] tracking its and others work on this and it says Edge
already does this.
In Chrome's bug entry for this task [4], it sounds as if 'localhost' is
already at least partially special-cased in Chrome code.
I've tried to find conclusive documentation on exactly how Windows deals with
this. They started to resolve 'localhost' without it being present in their
hosts file several years ago, but I've not found reliable source for this. I
believe you can still put it in there and have it acknowledged.
curl's --resolve option and its libcurl counterpart still allows a user to
make localhost URL's connect to another IP address, just like for any other
name.
Your feedback and thoughts on this are most welcome!
[1] = https://github.com/curl/curl/pull/7039
[2] = https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
[3] = https://www.chromestatus.com/feature/6269417340010496#details
[4] = https://bugs.chromium.org/p/chromium/issues/detail?id=589141
[5] = https://github.com/curl/curl/issues/6733
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://www.wolfssl.com/contact/ ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2021-05-10