curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: localhost to be truly local?

From: Geoff Beier via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 10 May 2021 10:35:47 -0400

On May 10 2021, at 9:52 am, Daniel Stenberg via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> The point of this is to make sure localhost is the local host for
> sure. With
> this, we should be able to consider transfers from localhost to be
> using a
> "secure context" as per web standards and for example allow 'secure'
> cookies
> even for 'http://localhost' [5].
>

If this is the main goal, it seems useful to test all resolved addresses
to see if they're loopback addresses, and flag them as a
"secure context" if they are. That would both make sure the address
returned when localhost is resolved is really local and let other
aliases for loopback addresses be recognized that way.

This is the kind of test I'm thinking of:
https://github.com/boostorg/asio/blob/558aeb8ea8a2d889ab17a79b9de13566182801e2/include/boost/asio/ip/impl/address_v4.ipp#L112

https://github.com/boostorg/asio/blob/558aeb8ea8a2d889ab17a79b9de13566182801e2/include/boost/asio/ip/impl/address_v6.ipp#L144

Either way, I think the proposal is a good idea and this is not meant as
an attempt to argue about what color the bike shed should be.


-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-05-10