From eccd05ce1e03f41a113734fc830b8df75e246c4c Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 10 Jul 2024 13:42:29 +0200
Subject: [PATCH 1/4] Block access to :: and 0.0.0.0

Fixes #1117.
---
 fetch.bs | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index de4606f20..3d2138b64 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -2743,6 +2743,26 @@ functionality.
 <a for=/>network partition key</a> <var>key</var> and an <a for=/>origin</a> <var>origin</var>:
 <!-- Should we assert the scheme here to be an HTTP(S) scheme or a WebRTC scheme? -->
 
+<ol>
+ <li><p>Let <var>ipAddresses</var> be the result of running <a>resolve an origin internal</a> given
+ <var>key</var> and <var>origin</var>.
+
+ <li><p>If <var>ipAddresses</var> is failure, then return failure.
+
+ <li><p>If <var>ipAddresses</var> <a for=set>contains</a> <code>::</code> or <code>0.0.0.0</code>,
+ then return failure.
+
+ <li><p>Return <var>ipAddresses</var>.
+</ol>
+
+<p>The results of <a>resolve an origin</a> may be cached. If they are cached, <var>key</var> should
+be used as part of the cache key.
+</div>
+
+<div>
+<p>The <dfn>resolve an origin internal</dfn> algorithm, given a <a for=/>network partition key</a>
+<var>key</var> and an <a for=/>origin</a> <var>origin</var>, runs these steps:
+
 <ol>
  <li><p>If <var>origin</var>'s <a for=origin>host</a> is an <a for=/>IP address</a>, then return
  « <var>origin</var>'s <a for=origin>host</a> ».
@@ -2753,7 +2773,8 @@ functionality.
 
  <li>
   <p>Perform an <a>implementation-defined</a> operation to turn <var>origin</var> into a
-  <a for=/>set</a> of one or more <a for=/>IP addresses</a>.
+  <a for=/>set</a> of one or more <a for=/>IP addresses</a>, taking <var>key</var> into account as
+  appropriate.
 
   <p>It is also <a>implementation-defined</a> whether other operations might be performed to get
   connection information beyond just <a for=/>IP addresses</a>. For example, if <var>origin</var>'s
@@ -2767,16 +2788,13 @@ functionality.
  <li><p>Return failure.
 </ol>
 
-<p>The results of <a>resolve an origin</a> may be cached. If they are cached, <var>key</var> should
-be used as part of the cache key.
-
 <div class=note>
  <p>Typically this operation would involve DNS and as such caching can happen on DNS servers without
  <var>key</var> being taken into account. Depending on the implementation it might also not be
  possible to take <var>key</var> into account locally. [[RFC1035]]
 
- <p>The order of the <a for=/>IP addresses</a> that the <a>resolve an origin</a> algorithm can return
- can differ between invocations.
+ <p>The order of the <a for=/>IP addresses</a> that the <a>resolve an origin internal</a> algorithm
+ can return can differ between invocations.
 
  <p>The particulars (apart from the cache key) are not tied down as they are not pertinent to the
  system the Fetch Standard establishes. Other documents ought not to build on this primitive without
@@ -9015,6 +9033,7 @@ done only by navigations). The <a>fetch controller</a> is also used to
 <p>Thanks to
 Adam Barth,
 Adam Lavin,
+Alain Emilia Anna Zscheile<!-- fogti; GitHub -->,
 Alan Jeffrey,
 Alexey Proskuryakov,
 Andreas Kling,
@@ -9026,7 +9045,7 @@ Arkadiusz Michalski,
 Arne Johannessen,
 Artem Skoretskiy,
 Arthur Barstow,
-Arthur Sonzogni, <!-- ArthurSonzogni; GitHub -->
+Arthur Sonzogni<!-- ArthurSonzogni; GitHub -->,
 Asanka Herath,
 Axel Rauschmayer,
 Ben Kelly,

From 56facf7ca239f2256a89c43f5bbd900c0a23ed42 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 19 Aug 2024 14:24:26 +0200
Subject: [PATCH 2/4] Update fetch.bs

---
 fetch.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fetch.bs b/fetch.bs
index 3d2138b64..2ffccffab 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -2759,7 +2759,7 @@ functionality.
 be used as part of the cache key.
 </div>
 
-<div>
+<div algorithm>
 <p>The <dfn>resolve an origin internal</dfn> algorithm, given a <a for=/>network partition key</a>
 <var>key</var> and an <a for=/>origin</a> <var>origin</var>, runs these steps:
 

From d2a8fdb94bf5cc918ca7709e0f56a61bcb673868 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 19 Aug 2024 14:56:49 +0200
Subject: [PATCH 3/4] review

---
 fetch.bs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index 2ffccffab..d9e10b1e8 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -2749,8 +2749,8 @@ functionality.
 
  <li><p>If <var>ipAddresses</var> is failure, then return failure.
 
- <li><p>If <var>ipAddresses</var> <a for=set>contains</a> <code>::</code> or <code>0.0.0.0</code>,
- then return failure.
+ <li><p>If <var>ipAddresses</var> <a for=set>contains</a> <code>::</code>, <code>::ffff:0:0</code>,
+ or <code>0.0.0.0</code>, then return failure.
 
  <li><p>Return <var>ipAddresses</var>.
 </ol>

From 4b5e6a6a22cde0f3bbd53cbce60e1bde152545e7 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 19 Aug 2024 14:57:57 +0200
Subject: [PATCH 4/4] Update fetch.bs

---
 fetch.bs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fetch.bs b/fetch.bs
index d9e10b1e8..7dfbe1b5a 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -9222,6 +9222,7 @@ triple-underscore<!-- GitHub -->,
 保呂毅 (Tsuyoshi Horo),
 Tyler Close,
 Ujjwal Sharma,
+Valentin Gosu,
 Vignesh Shanmugam,
 Vladimir Dzhuvinov,
 Wayne Carr,