- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 7 Nov 2014 11:21:44 +0100
- To: Mike West <mkwst@google.com>
- Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Boris Zbarsky <bzbarsky@mit.edu>, Valentin Gosu <valentin.gosu@gmail.com>
On Fri, Nov 7, 2014 at 11:05 AM, Mike West <mkwst@google.com> wrote: > My worry is that we'd be unable to support internal names on intranets. For > instance, consider an internal shortlinking service named > `go.internal.megacorp.com`, which is accessible by typing `go`. If we > automagically assume that `go` is `go.`, then we'd break the resolution, > right? I suppose we would, yes. Seems hard for such a service to protect itself from the internal network if the setup was like that though, no? > I think we'd have to limit the behavior to public suffixes, which seems > strange to bring into URL parsing. Agreed. So either we make it a UA-initiated redirect for public suffixes or we just deal with the brokenness and define that for certificates (and HSTS, anything else?) they are identical. -- https://annevankesteren.nl/
Received on Friday, 7 November 2014 10:22:10 UTC