-
Type: Improvement
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
Server Security
It's very hard to get X.509 certificates which would be valid for the hostname localhost. It's also generally safe to speak to loopback. Some consumers of the HttpClient want to speak HTTP, rather than HTTPS, to the localhost endpoint.
Right now, the way to do this is by calling allowInsecureHTTP with a boolean which callers compute by parsing the URI to determine whether the URI refers to localhost. Unfortunately, making this determination is hard, and simply asking whether the URI begins with the prefix http://localhost is incorrect, and would permit non-TLS traffic outside of the loopback interface. This creates a real risk that callers introduce serious security issues, while trying to perform simple and reasonable operations.
We should re-work this API to make this scenario easier to handle correctly.