Include 0.0.0.0 in the same group à 127.0.0.0/8

[randomstuff]

On Linux and MacOS, trying to connect to 0.0.0.0 actually connects to the local machine. This can be used for DNS rebinding attacks. As a consequence 0.0.0.0 should be included in the same group à 127.0.0.0/8 (i.e. private or local).

[annevk]

Per https://en.wikipedia.org/wiki/0.0.0.0 it seems we could also attempt to define that in the context of browsers this results in a network error.

[mikewest]

this results in a network error.

That seems like a very reasonable outcome to me.

[letitz]

Where would be the right place to specify that behavior across browsers? I'm not sure this spec is a natural fit.

[annevk]

I've been thinking Fetch, also for https://tools.ietf.org/html/draft-west-let-localhost-be-localhost. (It'll need to say things about DNS anyway for state partitioning efforts.)

[letitz]

Per #30, we will consider 0.0.0.0/8 to be private. It would also be good to standardize the error in Fetch, though that is not needed to close this issue.