Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: localhost to be truly local?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Geoff Beier via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 10 May 2021 10:35:47 -0400
On May 10 2021, at 9:52 am, Daniel Stenberg via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> The point of this is to make sure localhost is the local host for
> sure. With
> this, we should be able to consider transfers from localhost to be
> using a
> "secure context" as per web standards and for example allow 'secure'
> cookies
> even for 'http://localhost' [5].
>
If this is the main goal, it seems useful to test all resolved addresses
to see if they're loopback addresses, and flag them as a
"secure context" if they are. That would both make sure the address
returned when localhost is resolved is really local and let other
aliases for loopback addresses be recognized that way.
This is the kind of test I'm thinking of:
https://github.com/boostorg/asio/blob/558aeb8ea8a2d889ab17a79b9de13566182801e2/include/boost/asio/ip/impl/address_v4.ipp#L112
https://github.com/boostorg/asio/blob/558aeb8ea8a2d889ab17a79b9de13566182801e2/include/boost/asio/ip/impl/address_v6.ipp#L144
Either way, I think the proposal is a good idea and this is not meant as
an attempt to argue about what color the bike shed should be.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-05-10
Date: Mon, 10 May 2021 10:35:47 -0400
On May 10 2021, at 9:52 am, Daniel Stenberg via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> The point of this is to make sure localhost is the local host for
> sure. With
> this, we should be able to consider transfers from localhost to be
> using a
> "secure context" as per web standards and for example allow 'secure'
> cookies
> even for 'http://localhost' [5].
>
If this is the main goal, it seems useful to test all resolved addresses
to see if they're loopback addresses, and flag them as a
"secure context" if they are. That would both make sure the address
returned when localhost is resolved is really local and let other
aliases for loopback addresses be recognized that way.
This is the kind of test I'm thinking of:
https://github.com/boostorg/asio/blob/558aeb8ea8a2d889ab17a79b9de13566182801e2/include/boost/asio/ip/impl/address_v4.ipp#L112
https://github.com/boostorg/asio/blob/558aeb8ea8a2d889ab17a79b9de13566182801e2/include/boost/asio/ip/impl/address_v6.ipp#L144
Either way, I think the proposal is a good idea and this is not meant as
an attempt to argue about what color the bike shed should be.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-05-10