Re: [MIX] Carveout for `127.0.0.1`?

On Tue, May 3, 2016 at 12:09 PM, <Axel.Nennker@telekom.de> wrote:

> We used things like file:/// and http://localhost/ in the past but never
> built a product using it because the behavior changed even from browser
> version to browser version.
>
1. I don't think folks should use `file:` for anything.
2. `localhost` is a bit of a problem, actually. I'll start another thread
for that.
3. `127.0.0.1` is pretty safe.

> So if MIX gets me a standard way of communication with an app or local
> server then I want this.
>
Well, this, of course, is what I'm worried about. I don't actually want to
create such a standard, except insofar as it's more restrictive than the
status quo. My suggestion here is only that MIX is the wrong place to
create such a policy.

The approach I'm prototyping in Chrome today is
https://mikewest.github.io/cors-rfc1918/, which seems like a reasonable
middle ground, especially in possible combination with explicit user
mediation.

-mike

Received on Tuesday, 3 May 2016 10:19:11 UTC