fetch icon indicating copy to clipboard operation
fetch copied to clipboard
verified publisher icon whatwg

Prevent fetching from IPv4-mapped IPv6 addresses

Open letitz opened this issue 3 years ago • 2 comments

Quoting my distinguished self from https://github.com/WICG/private-network-access/issues/36:

Dual stack applications such as modern browsers should never have to deal with IPv4-mapped IPv6 addresses (https://tools.ietf.org/html/rfc4291#section-2.5.5), as they can simply use IPv4 addresses instead. This is not the case today however, at least in Chromium, in which for example [::ffff:7f00:1] resolves to localhost.

It seems to me that Fetch should forbid accesses to such IP addresses. What do y'all think?

letitz avatar Sep 22 '22 12:09 letitz

Having multiple addresses for the same endpoint is indeed not ideal. And the URL parser shouldn't normalize since there might be other contexts that are not dual stack I suppose. Given all that this seems reasonable based on my rather brief analysis, but I'll double check internally.

annevk avatar Sep 22 '22 12:09 annevk

So these IPv6 addresses need to be accounted for whenever restrictions on IPv4 addresses are made. Is that the main harm here? I suspect it might also be problematic that there's multiple addresses for the same endpoint? Anything else?

annevk avatar Sep 26 '22 07:09 annevk