W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Re: [MIX] Carveout for `127.0.0.1`?

From: Nottingham, Mark <mnotting@akamai.com>
Date: Wed, 4 May 2016 05:42:46 +0000
To: Mike West <mkwst@google.com>
CC: Axel Nennker <Axel.Nennker@telekom.de>, Richard Barnes <rbarnes@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "Eduardo' Vela <Nava>" <evn@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <3422C179-F8BD-4841-AEB8-0D6115E914B3@akamai.com>
What about the rest of 128.0.0.0/8? And ::1/128 for IPv6?

Cheers,


> On 3 May 2016, at 8:18 PM, Mike West <mkwst@google.com> wrote:
> 
> On Tue, May 3, 2016 at 12:09 PM, <Axel.Nennker@telekom.de> wrote:
> We used things like file:/// and http://localhost/ in the past but never built a product using it because the behavior changed even from browser version to browser version.
> 
> 1. I don't think folks should use `file:` for anything.
> 2. `localhost` is a bit of a problem, actually. I'll start another thread for that.
> 3. `127.0.0.1` is pretty safe.
> So if MIX gets me a standard way of communication with an app or local server then I want this.
> 
> Well, this, of course, is what I'm worried about. I don't actually want to create such a standard, except insofar as it's more restrictive than the status quo. My suggestion here is only that MIX is the wrong place to create such a policy.
> 
> The approach I'm prototyping in Chrome today is https://mikewest.github.io/cors-rfc1918/, which seems like a reasonable middle ground, especially in possible combination with explicit user mediation.
> 
> -mike

--
Mark Nottingham    mnot@akamai.com    https://www.mnot.net/
Received on Wednesday, 4 May 2016 05:43:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC