[whatwg/fetch] Exclude localhost from HTTPS upgrades (Issue #1780) from Eric Lawrence on 2024-10-24 (public-webapps-github@w3.org from October 2024)

From: Eric Lawrence <notifications@github.com>
Date: Thu, 24 Oct 2024 11:25:23 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1780@github.com>

### What is the issue with the Fetch Standard?

http://localhost is already a potentially trustworthy URL. `Upgrade-insecure-requests` already skips localhost, and HSTS should too. Otherwise, problems occur when a web developer self-hosts multiple services on localhost, or if an end-user attempts to use any of many software packages that use ephemeral localhost web servers.

Currently, https://fetch.spec.whatwg.org/#concept-main-fetch includes:

> Set request’s [current URL](https://fetch.spec.whatwg.org/#concept-request-current-url)’s [scheme](https://url.spec.whatwg.org/#concept-url-scheme) to "https" if all of the following conditions are true:
> 
> request’s [current URL](https://fetch.spec.whatwg.org/#concept-request-current-url)’s [scheme](https://url.spec.whatwg.org/#concept-url-scheme) is "http"
> request’s [current URL](https://fetch.spec.whatwg.org/#concept-request-current-url)’s [host](https://url.spec.whatwg.org/#concept-url-host) is a [domain](https://url.spec.whatwg.org/#concept-domain)
> Matching request’s [current URL](https://fetch.spec.whatwg.org/#concept-request-current-url)’s [host](https://url.spec.whatwg.org/#concept-url-host) per [Known HSTS Host Domain Name Matching](https://www.rfc-editor.org/rfc/rfc6797.html#section-8.2) results in either a superdomain match with an asserted includeSubDomains directive or a congruent match (with or without an asserted includeSubDomains directive) [[HSTS]](https://fetch.spec.whatwg.org/#biblio-hsts); or DNS resolution for the request finds a matching HTTPS RR per [section 9.5](https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https#section-9.5) of [[SVCB]](https://fetch.spec.whatwg.org/#biblio-svcb). [[HSTS]](https://fetch.spec.whatwg.org/#biblio-hsts) [[SVCB]](https://fetch.spec.whatwg.org/#biblio-svcb)

I propose we add an additional restriction clause:

request’s [current URL](https://fetch.spec.whatwg.org/#concept-request-current-url)’s [host](https://url.spec.whatwg.org/#concept-url-host)’s [public suffix ](https://url.spec.whatwg.org/#host-public-suffix) is not " localhost " or " localhost. "


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1780
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1780@github.com>

Received on Thursday, 24 October 2024 18:25:26 UTC