- From: Nottingham, Mark <mnotting@akamai.com>
- Date: Wed, 4 May 2016 05:42:46 +0000
- To: Mike West <mkwst@google.com>
- CC: Axel Nennker <Axel.Nennker@telekom.de>, Richard Barnes <rbarnes@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "Eduardo' Vela <Nava>" <evn@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
What about the rest of 128.0.0.0/8? And ::1/128 for IPv6? Cheers, > On 3 May 2016, at 8:18 PM, Mike West <mkwst@google.com> wrote: > > On Tue, May 3, 2016 at 12:09 PM, <Axel.Nennker@telekom.de> wrote: > We used things like file:/// and http://localhost/ in the past but never built a product using it because the behavior changed even from browser version to browser version. > > 1. I don't think folks should use `file:` for anything. > 2. `localhost` is a bit of a problem, actually. I'll start another thread for that. > 3. `127.0.0.1` is pretty safe. > So if MIX gets me a standard way of communication with an app or local server then I want this. > > Well, this, of course, is what I'm worried about. I don't actually want to create such a standard, except insofar as it's more restrictive than the status quo. My suggestion here is only that MIX is the wrong place to create such a policy. > > The approach I'm prototyping in Chrome today is https://mikewest.github.io/cors-rfc1918/, which seems like a reasonable middle ground, especially in possible combination with explicit user mediation. > > -mike -- Mark Nottingham mnot@akamai.com https://www.mnot.net/
Received on Wednesday, 4 May 2016 05:43:19 UTC