Add { 548, 'afp' } to the blocked bad ports

[toyoshim]

Chrome team is discussing to disallow port 548.
Can we have the 548 in the bad port list, https://fetch.spec.whatwg.org/#port-blocking ?

Also any other reason not to disallow other well-known < 1024 ports except for http/https ?
I guess it's just for possible compatibility breakage, but it would be great if we can disallow them eventually.

[annevk]

According to Wikipedia AFP also uses 427. Is that being considered? Can you share the issue number?

I think the main reason we have a blocklist is compatibility, but I haven't seen recent data about usage of non-HTTP ports < 1024 by web sites. That would be interesting.

cc @whatwg/security

[annevk]

See also #544.

[annevk]

@toyoshim @tyoshino any updates here? Would love to address outstanding security issues.

[mikewest]

FYI: @tyoshino is no longer working on Blink. We miss him, but I don't think he's working on web things at the moment.

I talked with our metrics folks a while back about collecting port information. They weren't thrilled about adding a histogram with 64k buckets to get exact numbers, and I didn't come up with a better proposal. Blocking 548 and 427 seems fine. Blocking all ports under 1024 seems likely to not be fine. I wonder if our metrics folks would be unhappy with 1k buckets?

[annevk]

Thanks, I meant to ping @yutakahirano, who gave me access to the private issue due to another discussion.

I guess we should proceed with 427 and 548 then and hope nothing breaks (or not too much).

[mikewest]

Since we can't write WPT for it (as we don't have access to any ports below 1024), no tests will break! Which means it's web-compatible.

[annevk]

Created a PR for this. Haven't filed bugs and such quite yet though so that'll likely have to wait for next week. @toyoshim I added you to the Acknowledgments section with the name you use on GitHub. Let me know if that needs changing somehow.

[yutakahirano]

@mikewest
Blocking 548 and 427 seems fine. Blocking all ports under 1024 seems likely to not be fine. I wonder if our metrics folks would be unhappy with 1k buckets?

I think it's good to force preflight for port-specified requests.

[annevk]

@yutakahirano that's an interesting idea, but probably best tracked in a separate issue. Could you file one?

[ricea]

@yutakahirano I'm afraid it's not web compatible. At one time running a second server on port 81 was fashionable. I doubt any of those servers will ever be updated to support CORS.

[yutakahirano]

@annevk: sounds good.

I'm fine with blocking 548 and 427.