Block access to 0.0.0.0

Fixes #1117.
whatwg · Jul 10, 2024 · ca2c938 · ca2c938
1 parent 4cb3cf2
commit ca2c938
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/fetch.bs b/fetch.bs
@@ -2744,8 +2744,15 @@ functionality.
 <!-- Should we assert the scheme here to be an HTTP(S) scheme or a WebRTC scheme? -->
 
 <ol>
- <li><p>If <var>origin</var>'s <a for=origin>host</a> is an <a for=/>IP address</a>, then return
- « <var>origin</var>'s <a for=origin>host</a> ».
+ <li>
+  <p>If <var>origin</var>'s <a for=origin>host</a> is an <a for=/>IP address</a>:
+
+  <ol>
+   <li><p>If <var>origin</var>'s <a for=origin>host</a> is <code>0.0.0.0</code>, then return
+   failure.
+
+   <li><p>Return « <var>origin</var>'s <a for=origin>host</a> ».
+  </ol>
 
  <li><p>If <var>origin</var>'s <a for=origin>host</a>'s <a for=host>public suffix</a> is
  "<code>localhost</code>" or "<code>localhost.</code>", then return « <code>::1</code>,