Most active commenters
  • mehrdadn(7)
  • linuxftw(5)

←back to thread

I can see your local web servers

(http.jameshfisher.com)
652 points jamesfisher | 22 comments | 28 May 19 07:57 UTC | HN request time: 2.267s | source | bottom
1. mehrdadn ◴[28 May 19 09:38 UTC] No.20028539[source]
Here's a question I've had for a while: WHY in the world do web browsers not block access to localhost? What exactly is the extremely compelling use case that has prevented them from blocking this?
replies(6): >>20028568 #>>20028760 #>>20029313 #>>20029331 #>>20032073 #>>20036758 #
2. rahuldottech ◴[28 May 19 09:44 UTC] No.20028568[source]
Some browsers apparently do, which is why this demo isn't working for some HN users.
3. kmlx ◴[28 May 19 10:28 UTC] No.20028760[source]
quick development? some of us use localhost to quickly test/develop.
4. jarofgreen ◴[28 May 19 12:21 UTC] No.20029313[source]
Or it could be like what happens if you access a site with a broken SSL cert - you get a big red warning page and your only allowed to continue after clicking some tiny technical option.
5. mjlee ◴[28 May 19 12:25 UTC] No.20029331[source]
There are a fair number of applications that expose a UI with a local web server. I use the Ubiquiti Controller, but it's also quite common in the world of Plex, etc. It's also a path used for local OIDC, such as with the gcloud CLI.
replies(1): >>20029377 #
6. mehrdadn ◴[28 May 19 12:31 UTC] No.20029377[source]
> expose a UI with a local web server

I'm not talking about UIs hosted on local web servers being able to send requests to themselves, I'm talking about UIs hosted on REMOTE web servers being able to send requests to local ones. It seems far worse than a random cross-origin request to me and for the life of me I can't imagine uses cases.

replies(2): >>20029984 #>>20030184 #
7. penagwin ◴[28 May 19 13:53 UTC] No.20029984{3}[source]
While I think it would be a shame to completely disable the ability for remote sites to access localhost (I'm sure it can be useful somehow), it would make far more sense to be opt-in for those cases.

Maybe browsers should assume a CORS deny all unless otherwise specified?

8. linuxftw ◴[28 May 19 14:13 UTC] No.20030184{3}[source]
That's not really how the internet works.

What is a local webserver? Running on your machine? Running on your LAN? Running on your corporate intranet? How should a browser differentiate between these things?

What qualifies as a remote server? Did you know, some very large enterprise environments squat on public IP's for private intranet internally due to address space exhaustion (IPv4 anyway)? Just because something appears to be on a public address doesn't mean it actually is.

replies(2): >>20030924 #>>20033739 #
9. boomlinde ◴[28 May 19 15:12 UTC] No.20030924{4}[source]
It seems like an obvious measure would be for sites served outside the private-use or loopback ranges to be unable to request content from servers in private-use or loopback ranges.

> Did you know, some very large enterprise environments squat on public IP's for private intranet internally due to address space exhaustion (IPv4 anyway)?

Sucks to be them. If they've exhausted their private use IPv4 addresses, they can either rest comfortably knowing that NAT and IPv6 can solve their problem or they can ignore IETF recommendations and build a card house network that breaks if you give it a stern look.

replies(1): >>20031026 #
10. linuxftw ◴[28 May 19 15:21 UTC] No.20031026{5}[source]
My preferred solution would be to disable javascript altogether.

> Sucks to be them. If they've exhausted their private use IPv4 addresses, they can either rest comfortably knowing that NAT and IPv6 can solve their problem or they can ignore IETF recommendations and build a card house network that breaks if you give it a stern look.

This will only lead to organizations running IE7 (or whatever outdated IE version is most common now) forever.

replies(1): >>20146363 #
11. jahewson ◴[28 May 19 17:09 UTC] No.20032073[source]
They do...

[Error] Failed to load resource: Origin http://http.jameshfisher.com is not allowed by Access-Control-Allow-Origin. (localhost, line 0)

12. mehrdadn ◴[28 May 19 19:56 UTC] No.20033739{4}[source]
This makes no sense. I'm just talking about localhost, I don't care where the physical computer is. It makes no difference if you're an enterprise with software running on a private or public or whatever IP. Whatever the case, I still don't see why you should be able to use JS to access a localhost address.
replies(2): >>20035066 #>>20035715 #
13. Skunkleton ◴[28 May 19 22:31 UTC] No.20035066{5}[source]
IIRC dell uses this to load support information into site. It's a reason, not saying it's a good one.
14. linuxftw ◴[29 May 19 00:13 UTC] No.20035715{5}[source]
But what if your webserver is bound to 0.0.0.0:80? Which IP ranges do you block? Just the lo interface? Well, that wouldn't prevent this exploit as the webserver would be listening on all of your IP addresses.
replies(1): >>20035748 #
15. mehrdadn ◴[29 May 19 00:20 UTC] No.20035748{6}[source]
What? Nobody cares what the listener is listening to. Nobody even cares if a listener even exists. It's completely irrelevant. You just block the outgoing request if it's sent to a localhost address from a non-localhost address. What's so complicated about this?
replies(1): >>20036139 #
16. linuxftw ◴[29 May 19 01:43 UTC] No.20036139{7}[source]
If you're suggesting that anything not originating on an enumerated list of IP's for localhost cannot request an url for something that resolves to an entry in an enumerated list of IP's for localhost, that would be possible, but is not really representative of the entire surface area of the effect demonstrated in the article.

It's also entirely possible you have some development api running on a particular port on localhost, and some app running in a container or VM that wants to make calls to it.

replies(1): >>20036174 #
17. mehrdadn ◴[29 May 19 01:48 UTC] No.20036174{8}[source]
> is not really representative of the entire surface area of the effect demonstrated in the article

So let's let perfect be the enemy of good? What's the logic here? Let's leave a huge security hole because we can't achieve perfection in all scenarios?

> It's also entirely possible you have some development api running on a particular port on localhost, and some app running in a container or VM that wants to make calls to it.

The VM should be on localhost or you should jump through a few hoops to whitelist it somehow. I see no reason why this should be allowed by default.

replies(1): >>20036480 #
18. linuxftw ◴[29 May 19 02:51 UTC] No.20036480{9}[source]
> So let's let perfect be the enemy of good? What's the logic here? Let's leave a huge security hole because we can't achieve perfection in all scenarios?

The logic here is don't hastily start implementing changes to how http requests currently work without a well established plan for doing so. I think there would be a good deal of corner cases you need to account for to successfully implement this feature.

Anyway, this problem seems pretty obvious, and I'm sure this discussion has been had elsewhere already.

replies(1): >>20036496 #
19. mehrdadn ◴[29 May 19 02:57 UTC] No.20036496{10}[source]
> The logic here is don't hastily start implementing changes to how http requests currently work without a well established plan for doing so.

As if the point of this thread was to push browser vendors to hastily implement this without thinking it through? Are you just trying to find something to have an argument over? I'm tired of this.

20. efreak ◴[29 May 19 04:04 UTC] No.20036758[source]
Caching reverse proxies for local virtual machine use, in my case. Primarily used for Linux repos, but also configured for personal use, eg for webcomics.
replies(1): >>20036809 #
21. mehrdadn ◴[29 May 19 04:15 UTC] No.20036809[source]
That's about as far from compelling a reason as you can imagine for the browser to allow this by default?
22. boomlinde ◴[10 Jun 19 13:08 UTC] No.20146363{6}[source]
> My preferred solution would be to disable javascript altogether.

My preferred solution would be not to use web browsers at all, but our preferred solutions are much harder to make a case for than a simple security policy.

> This will only lead to organizations running IE7 (or whatever outdated IE version is most common now) forever.

In general, let's let them make that choice, but this could be configurable in the browser in the same way Javascript and cookie policy exceptions are handled.