+1 imho that would be the best idea, and the local/non-local check should happen inside the same PKI-validation logic flow that is used for certificate validation.
If the url resource resolves to local IP addresses then only reserved names from https://cabforum.org/wp-content/uploads/Guidance-Deprecated-Internal-Names.pdf should be allowed to continue with the certificate validation logic. I think that would be the best approach that also allows continued use of internal names for local ip addresses. Adrian R. Matthew Hardeman wrote: > The only way that will ever happen is to fix the browser to kill the > capability to hit a local IP endpoint if the main resource is non-local. > Once that change is made, the software developers will have far less > incentive to do things like this. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy