Gaping Security Hole

If my quick reading of the spec is correct, it seems that browsers will assume that private IP address space is 'local' and public space is 'public'. There are networks where this does not hold. I hope browsers will allow the configuration of a list of CIDR ranges to be considered 'local' in addition to the defaults.