devis a public TLD; you can go out and buy [whatever].dev: https://get.dev/ However,
isHostLocaltreats .dev domains as local, despite .dev not being a reserved TLD.
Within XF's core and first-party add-ons as of writing,
isHostLocalis only ever used in the context of the expression:
$request->isSecure() || $request->isHostLocal(). By sheer luck,
devhas HSTS enabled for the entire TLD, so this bug is inconsequential. However, if any third-party add-ons use
isHostLocalexpecting it to do what it claims to do, bugs are likely to arise.
The following TLDs currently appear in
- dev: Bad; public TLD
- localhost: Good; reserved for testing in RFC 2606
- local: Not great; reserved for use with mDNS in RFC 6762, so it'll never be public, but it's in active use on most home networks and may result in a non-localhost hostname being treated as such. I can't think of any sane scenario in which this would cause an issue within XF, but developers shouldn't be using it as a development TLD (especially if they're on macOS), so there's no reason to include it.
- test: Good; reserved for testing in RFC 2606
While we're at it, isHostLocal should really cover all of 127.0.0.0/8, not just 127.0.0.1. Using alternatives such as 127.0.1.1 is quite common on Linux.