[Webkit-unassigned] [Bug 186039] Prevent websites from talking to loopback interface (127.0.0.1, localhost)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 29 10:24:58 PDT 2018


https://bugs.webkit.org/show_bug.cgi?id=186039

--- Comment #5 from Alexey Proskuryakov <ap at webkit.org> ---
> there is nothing wrong for a web page to talk to localhost *when localhost wants it*.

How does one determine the intent? I definitely have a bunch of services listening on loopback that are one parsing bug away from being a problem, and that I very much do not want to be accessed by webpages.

One can think of having an explicit opt-in (process registering its loopback port for access from a specific web origin). That mitigates some of the concerns, but clearly not all of them. Either way, given that all of this is a gross architectural violation of web technology, developing tons of infrastructure around it seems like a poor strategy.

> You could've made a good argument mentioning DNS rebinding

DNS rebinding certainly helps some of the these attacks as one doesn't need to deal with CORS, sure.

> And DNS rebinding is considered a vulnerability in a localhost service, not the browser.

Blaming a multitude of services and people configuring them instead of a single choke point is probably why DNS rebinding remains an unresolved problem :)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180529/eb1c00af/attachment.html>


More information about the webkit-unassigned mailing list