Decide how to treat 0.0.0.0

[letitz]

Currently in Chromium, 0.0.0.0 is sorted into the "unknown" address space, which means it mostly behaves as "public". This specification treats 0.0.0.0 as "public".

A public website can abuse this to load a resource from localhost by replacing 127.0.0.1 with 0.0.0.0, which routes to localhost on Mac and Linux.

It seems that 0.0.0.0 should be treated as "local" instead, since its meaning is different for every host.

[letitz]

It seems that 0.0.0.0 does not map to localhost on Windows: https://superuser.com/questions/536156/how-do-i-get-0-0-0-0-to-resolve-to-localhost-when-browsing-a-url-that-contains-0

Still, its meaning differs based on the computer resolving the address.

[annevk]

See also whatwg/fetch#1117.

[avioligo]

I did a research on this manner an managed to fingerprint website visitors without any cookies.

POC:
http://ports.sh

[avioligo]

@correabuscar
Because I work at oligo.security and currently work on this :)

See https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild

[avilum]

And I confirm @avioligo is my work account :)
Thanks for thinking twice! It is very responsible @correabuscar