←back to thread

I can see your local web servers

(http.jameshfisher.com)
652 points jamesfisher | 3 comments | 28 May 19 07:57 UTC | HN request time: 0s | source
Show context
lostjohnny ◴[28 May 19 09:15 UTC] No.20028455[source]
Nope, you can't

    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)
Anyway

    TypeError: /(192\.168\.[0-9]+\.)[0-9]+/.exec(...) is null i-can-see-your-local-web-servers:169:41
replies(3): >>20028659 #>>20029606 #>>20029927 #
chronial ◴[28 May 19 10:04 UTC] No.20028659[source]
The Cross-Origin check be circumvented via DNS Rebinding: When you request mypage.com, my DNS returns the ip of my webserver. On all subsequent requests, it will return 127.0.0.1. Now localhost is on the same origin as my page.
replies(2): >>20028841 #>>20034436 #
lostjohnny ◴[28 May 19 10:50 UTC] No.20028841[source]
It doesn't matter, you should be in control of a DNS the user relies on and you should have your server send

    Access-Control-Allow-Origin: mypage.com
or

    Access-Control-Allow-Origin: *
which is not a default anywhere AFAIK and is domain based, not IP based

And your server should be enabled to respond to mypage.com host header

replies(2): >>20028880 #>>20029000 #
1. chronial ◴[28 May 19 10:57 UTC] No.20028880[source]
I don't quite understand your comment. Do you mean "shouldn't" whenever you wrote "should"?
replies(2): >>20028952 #>>20030389 #
2. m12k ◴[28 May 19 11:15 UTC] No.20028952[source]
I think they write 'should' when they mean 'need to if you want the aforementioned to be a practical attack vector'
3. lostjohnny ◴[28 May 19 14:27 UTC] No.20030389[source]
yeah, I meant need, sorry