[whatwg/url] Canonicalised IPv4 concept allows for obfuscating real dest IP in URL (#456) from Ԝеѕ on 2019-10-21 (public-webapps-github@w3.org from October 2019)

From: Ԝеѕ <notifications@github.com>
Date: Mon, 21 Oct 2019 11:59:54 -0700
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/456@github.com>

**Example:** 
`http://10.0.514`
redirects to 
`http://10.0.2.2`
in Firefox and Chrome browsers 

(as you can see in my profile)

`http://0177.0.0.01` to `127.0.0.1`
![image](https://user-images.githubusercontent.com/5124946/67234510-4de63800-f413-11e9-830f-0d0bbba310c8.png)

**Issue:** This is a security risk (albeit low) because it allows the real destination IP host to be obfuscated in a URL. 

Firefox implementation - https://bugzilla.mozilla.org/show_bug.cgi?id=1288049

**Bringing up security considerations:**
https://bugzilla.mozilla.org/show_bug.cgi?id=1381139
https://bugzilla.mozilla.org/show_bug.cgi?id=67730 (related issue from 19 years ago, still open)

**p.s.** Also, what is the actual use case for this ? 
I'm not intimate with the WhatWG specs, but frankly, this seems really silly in general. 


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/456

Received on Monday, 21 October 2019 18:59:57 UTC