On May 10 2021, at 9:52 am, Daniel Stenberg via curl-library <curl-library@cool.haxx.se> wrote: > > The point of this is to make sure localhost is the local host for > sure. With > this, we should be able to consider transfers from localhost to be > using a > "secure context" as per web standards and for example allow 'secure' > cookies > even for 'http://localhost' [5]. >
If this is the main goal, it seems useful to test all resolved addresses to see if they're loopback addresses, and flag them as a "secure context" if they are. That would both make sure the address returned when localhost is resolved is really local and let other aliases for loopback addresses be recognized that way. This is the kind of test I'm thinking of: https://github.com/boostorg/asio/blob/558aeb8ea8a2d889ab17a79b9de13566182801e2/include/boost/asio/ip/impl/address_v4.ipp#L112 https://github.com/boostorg/asio/blob/558aeb8ea8a2d889ab17a79b9de13566182801e2/include/boost/asio/ip/impl/address_v6.ipp#L144 Either way, I think the proposal is a good idea and this is not meant as an attempt to argue about what color the bike shed should be. ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
