Closed sebsel closed 2 years ago
Thinking out loud: if this is the case, then should localhost
be listed too? Feels like this opens a large set of other hosts too that we can't all mention but can be local too.
This makes sense. Separately, we can recommend that the server resolve the domain name first and not fetch the URL if it resolves to an IP address in the loopback (RFC 5735) or other restricted range. (e.g. i can make a domain name localhost.example.com that resolves to 127.1.1.1 which is also a loopback address) I'll add that as a separate commit.
This is my attempt to fix that. Hope I picked the right place and words.