2019-12-25 UTC
# [dmitshur] one of the challenges of implementing an IndieAuth client is the need to make some HTTP requests, e.g., to discover the authorization_endpoint on a user-provided URL. the spec disallows URLs that are not domain name (e.g, `localhost`) or IPs (e.g. `127.0.0.1` ), and in theory it _should_ be safe to make arbitrary GET requests... but it's still potentially a little scary.