[Webkit-unassigned] [Bug 186039] New: Prevent websites from talking to loopback interface (127.0.0.1, localhost)

Mon May 28 13:09:33 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=186039

            Bug ID: 186039
           Summary: Prevent websites from talking to loopback interface
                    (127.0.0.1, localhost)
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ap at webkit.org
                CC: beidson at apple.com, bfulgham at webkit.org,
                    webkit-bug-importer at group.apple.com

Letting websites talk to software that runs locally is quite dangerous, and probably never a legitimate use of web technology.

1. Local software is likely to have poor security settings, such as weak passwords. It doesn't even have to recognize HTTP to be vulnerable, as cross-protocol attacks do exist.

2. Often, such software is a proxy for hardware (see e.g. Arduino request in <https://bugs.webkit.org/show_bug.cgi?id=171934#c18>). That increases the risk.

3. Knowledge of locally running services can be used for fingerprinting.

4. For https pages in particular, talking to an unknown party on a local machine only identified by a port number violates page security too.

See bug 171934 for more discussion.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180528/4b46da58/attachment.html>