[Webkit-unassigned] [Bug 186039] Prevent websites from talking to loopback interface (127.0.0.1, localhost)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 29 19:54:41 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=186039
--- Comment #7 from homakov <homakov at gmail.com> ---
> How does one determine the intent?
That was my first answer in 171934, literally:
> That's kind of true, but why not just open up localhost that opts-in to be accessed? Preflight?
I agreed that there are bugs that can happen, but offered to consider CORS preflight or any other way to re-enable localhost bridge back. Any header like Allow-Localhost: 1 would show the intent too. Or crossdomain.xml-style sharing as well.
>developing tons of infrastructure around it seems like a poor strategy.
With CORS approach I doubt you would increase code complexity. Violating the spec, on another hand, does increase code complexity for the developers and pushes to root CA options.
> Blaming a multitude of services and people
I too believe DNS rebinding could have been solving decades ago in web standards, but complete prohibition of localhost is unacceptable. It will push people to send data from the web page<->server<->localhost listener which is next level ugly and slow.
Bottom line:
A direct bridge from page to localhost is very useful and enables whole range of use cases. There are multiple low-overhead ways for localhost to show the intent to be talked to, from CORS to flags and special headers: choose whatever you like.
I do not like the Developer Console option as it complicates things for normal users who just want e.g. local Spotify daemon to work.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180530/5d5c208a/attachment-0001.html>
More information about the webkit-unassigned
mailing list