Comment 5 for bug 1804042

One point I'd also like to add here, and it is an important one, how we implement this has to be VERY configurable around how the headers are parsed. Header spoofing, which ones to trust, which parts of the header (or which of the multiple headers) to trust, etc. All those are potential vectors we need to try and handle, or at least supply methods which will allow deployers to make sure the correct headers are used and parsed.

"X-Forwarded-For", and "Forwarded" potentially, plus I have a feeling there are some odd custom ones out there too.

We'll need to investigate this, and make sure we are handling this as best as we can.