TrustedClients:
SAMPLE: {}
- # Treat any origin whose host part is a private IP address
- # (e.g., http://10.0.0.123/) as if it were listed in
- # TrustedClients.
+ # Treat any origin whose host part is "localhost" or a private
+ # IP address (e.g., http://10.0.0.123:3000/) as if it were
+ # listed in TrustedClients.
#
# Intended only for test/development use. Not appropriate for
# production use.
{true, false, "https://app.example.com/"},
{true, false, "https://app.example.com:443/foo?bar=baz"},
// non-listed hostname => deny (regardless of TrustPrivateNetworks)
- {false, false, "https://localhost/"},
- {false, true, "https://localhost/"},
+ {false, false, "https://bad.example/"},
{false, true, "https://bad.example/"},
// non-listed non-private IP addr => deny (regardless of TrustPrivateNetworks)
{false, true, "https://1.2.3.4/"},
{false, true, "https://1.2.3.4/"},
{false, true, "https://[ab::cd]:1234/"},
- // non-listed private IP addr => accept only if TrustPrivateNetworks is set
+ // localhost or non-listed private IP addr => accept only if TrustPrivateNetworks is set
+ {false, false, "https://localhost/"},
+ {true, true, "https://localhost/"},
{false, false, "https://[10.9.8.7]:80/foo"},
{true, true, "https://[10.9.8.7]:80/foo"},
{false, false, "https://[::1]:80/foo"},