(http.jameshfisher.com)

652 points jamesfisher | 1 comments | 28 May 19 07:57 UTC | HN request time: 0.224s | source

Show context

founderling ◴[28 May 19 08:58 UTC] No.20028376[source]▶

>>20028108 (OP) #

I started a local webserver listening on localhost:80 just to see what happens, but this thing seems to not detect it. It shows me "Scanning localhost ... localhost complete."

Edit: My guess is that this thing can only detect servers that send a CORS header that permits cross domain access.

It could probably do way better detection if it did not do xhr requests but added script/css/whatever elements to its own page pointing to localhost and detects if those error out.

replies(5): >>20028381 #>>20028422 #>>20028443 #>>20034079 #>>20036964 #

jensneuse ◴[28 May 19 09:09 UTC] No.20028422[source]▶

>>20028376 #

CORS is a security mechanism for browsers to prevent leaking user information (e.g. cookies) when doing cross domain requests from a browser. CORS does not prevent accessing the server at all. You can always curl a CORS protected server but you won't be able to make a requests including the user's cookies from a disallowed domain.

replies(2): >>20028925 #>>20029142 #

1. jeltz ◴[28 May 19 11:09 UTC] No.20028925[source]▶

>>20028422 #

Well yeah, but CROS prevents his demo from working. And you cannot curl something remotely when it only binds to 127.0.0.1.

↑

I can see your local web servers