-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why is the "local" / "private" distinction made? #15
Comments
We could at least classify link-local IPv6 addresses as That said, this distinction seems to come from Opera's initial behavior. Philosophically, intranet websites accessing something on I don't have a strong preference here, just trying to hash out arguments in favor of the status quo. |
One thing that might be interesting to look at is whether we could always require a preflight for inter-non-local communication. That would sidestep the classification issue of private vs local. If we cannot require that it's probably still valuable to have the distinction. (Might have changed my mind a bit since I wrote OP.) |
What do you mean by "inter-non-local communication"? Do you mean all requests between non-public endpoints? If so, I have also been thinking about this. For the moment I'm keeping #1 in my pocket for later, but I'd be interested in pre-flighting all cross-origin non-public-to-public requests. |
Not all, but all of requests between non-local addresses that are cross-origin, e.g., from |
(months pass) Yes, I think that would be a good thing to do eventually. I suspect however that it would result in much more widespread breakage on the web. Regarding the
In this view, |
So is the handshake currently identical? That is, public -> private is the same dance as private -> local? It looks that way, but I'm not confident. Or in other words, is the distinction only relevant for when to trigger the handshake? So if we indeed were able to pull of requiring opt-in all the time it wouldn't really change the protocol? (Should we track this aspiration in its own issue?) |
The handshake is indeed identical, modulo the origins involved just like in regular CORS.
Correct, nothing would change except that we would trigger the pre-flight in more cases.
I've been referencing #1 for this, but it's an old PR and not an issue... I've been too lazy to write up a real issue, but you're right that it would be best. I'll file one. |
Thanks, I think I'm happy with this then. |
It's not entirely clear to me why we bother making this distinction, especially if it's not forward compatible with IPv6.
This relates to #3 and #13.
The text was updated successfully, but these errors were encountered: