Decide how to treat 0.0.0.0

[letitz]

Currently in Chromium, 0.0.0.0 is sorted into the "unknown" address space, which means it mostly behaves as "public". This specification treats 0.0.0.0 as "public".

A public website can abuse this to load a resource from localhost by replacing 127.0.0.1 with 0.0.0.0, which routes to localhost on Mac and Linux.

It seems that 0.0.0.0 should be treated as "local" instead, since its meaning is different for every host.

[letitz]

It seems that 0.0.0.0 does not map to localhost on Windows: https://superuser.com/questions/536156/how-do-i-get-0-0-0-0-to-resolve-to-localhost-when-browsing-a-url-that-contains-0

Still, its meaning differs based on the computer resolving the address.

[annevk]

See also https://github.com/whatwg/fetch/issues/1117.

[avioligo]

I did a research on this manner an managed to fingerprint website visitors without any cookies.

POC: http://ports.sh

[correabuscar]

I did a research on this manner an managed to fingerprint website visitors without any cookies.

POC: http://ports.sh

but why did "you" make a seemingly new github account ( @avioligo ) to say that? why not use the same one @avilum ? seemed a bit fishy at first glance :D

EDIT: now "we" (presumably)know who (is the "external researcher" that) reported this https://issues.chromium.org/issues/332410234 then =) but no worries it's Access is denied to this issue at this time xD

[avioligo]

@correabuscar Because I work at oligo.security and currently work on this :)

See https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild

[avilum]

And I confirm @avioligo is my work account :) Thanks for thinking twice! It is very responsible @correabuscar