Reply to thread

dev is a public TLD; you can go out and buy [whatever].dev: https://get.dev/  However, isHostLocal treats .dev domains as local, despite .dev not being a reserved TLD.

Within XF's core and first-party add-ons as of writing, isHostLocal is only ever used in the context of the expression: $request->isSecure() || $request->isHostLocal().  By sheer luck, dev has HSTS enabled for the entire TLD, so this bug is inconsequential.  However, if any third-party add-ons use isHostLocal expecting it to do what it claims to do, bugs are likely to arise.

The following TLDs currently appear in isHostLocal:

• dev: Bad; public TLD
• localhost: Good; reserved for testing in RFC 2606
• local: Not great; reserved for use with mDNS in RFC 6762, so it'll never be public, but it's in active use on most home networks and may result in a non-localhost hostname being treated as such.  I can't think of any sane scenario in which this would cause an issue within XF, but developers shouldn't be using it as a development TLD (especially if they're on macOS), so there's no reason to include it.
• test: Good; reserved for testing in RFC 2606

While we're at it, isHostLocal should really cover all of 127.0.0.0/8, not just 127.0.0.1.  Using alternatives such as 127.0.1.1 is quite common on Linux.