[AnthonyMouse]

> How is the browser supposed to reason about "local"?

That isn't even the issue. It's that there is nothing inherently wrong or unusual with mixing local and internet requests.

Look at IFPS -- it runs a webserver on localhost which you can request content from by using content hashes. There is nothing wrong with a website on the internet which anticipates that you to have IFPS installed and uses it to request page elements. It can even use javascript to detect that you have it and use a different (e.g. slower or more expensive) source for the content if you don't, or show a message explaining how to install it.

Or you have a company with some internal servers where some of them have public addresses (or public IPv6 addresses) while some don't, but they arbitrarily access resources on the others because they're all managed by the same people.

This isn't a browser problem. Browsers are supposed to work this way.

[akersten]

Yes, exactly. This should be a top-level comment. The uninformed delirium over intentional and useful browser features moves us in a slow crawl towards a sad husk of what the Web used to be in the name of 'security'.

[BaronSamedi]

The web has changed. It has become a vastly more hostile environment. In my view, the appropriate way of acknowledging this change is to prioritize security over features. Whether a feature is useful or not is no longer the primary consideration.

[AnthonyMouse]

A denial of service doesn't improve security. All you do is get users to mash whatever knobs they can find until it starts working again regardless of the implications, or disable updates so they can keep using the old version that works instead of the new version that doesn't.

You need to fix the things that are broken instead of breaking the things that are working.

[BaronSamedi]

How does prioritizing security equate to "denial of service"? A securely designed system can be user friendly.