Daniel Stenberg via curl-library
2021-05-10 13:52:53 UTC
Hi,
I've created PR #7039 that makes "localhost" resolve to 127.0.0.1 and ::1
without using the resolver [1].
The point of this is to make sure localhost is the local host for sure. With
this, we should be able to consider transfers from localhost to be using a
"secure context" as per web standards and for example allow 'secure' cookies
even for 'http://localhost' [5].
Firefox already does this [2].
Chrome has a page [3] tracking its and others work on this and it says Edge
already does this.
In Chrome's bug entry for this task [4], it sounds as if 'localhost' is
already at least partially special-cased in Chrome code.
I've tried to find conclusive documentation on exactly how Windows deals with
this. They started to resolve 'localhost' without it being present in their
hosts file several years ago, but I've not found reliable source for this. I
believe you can still put it in there and have it acknowledged.
curl's --resolve option and its libcurl counterpart still allows a user to
make localhost URL's connect to another IP address, just like for any other
name.
Your feedback and thoughts on this are most welcome!
[1] = https://github.com/curl/curl/pull/7039
[2] = https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
[3] = https://www.chromestatus.com/feature/6269417340010496#details
[4] = https://bugs.chromium.org/p/chromium/issues/detail?id=589141
[5] = https://github.com/curl/curl/issues/6733
I've created PR #7039 that makes "localhost" resolve to 127.0.0.1 and ::1
without using the resolver [1].
The point of this is to make sure localhost is the local host for sure. With
this, we should be able to consider transfers from localhost to be using a
"secure context" as per web standards and for example allow 'secure' cookies
even for 'http://localhost' [5].
Firefox already does this [2].
Chrome has a page [3] tracking its and others work on this and it says Edge
already does this.
In Chrome's bug entry for this task [4], it sounds as if 'localhost' is
already at least partially special-cased in Chrome code.
I've tried to find conclusive documentation on exactly how Windows deals with
this. They started to resolve 'localhost' without it being present in their
hosts file several years ago, but I've not found reliable source for this. I
believe you can still put it in there and have it acknowledged.
curl's --resolve option and its libcurl counterpart still allows a user to
make localhost URL's connect to another IP address, just like for any other
name.
Your feedback and thoughts on this are most welcome!
[1] = https://github.com/curl/curl/pull/7039
[2] = https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
[3] = https://www.chromestatus.com/feature/6269417340010496#details
[4] = https://bugs.chromium.org/p/chromium/issues/detail?id=589141
[5] = https://github.com/curl/curl/issues/6733
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: