←back to thread

I can see your local web servers

(http.jameshfisher.com)
652 points jamesfisher | 1 comments | 28 May 19 07:57 UTC | HN request time: 0.209s | source
Show context
mehrdadn ◴[28 May 19 09:38 UTC] No.20028539[source]
Here's a question I've had for a while: WHY in the world do web browsers not block access to localhost? What exactly is the extremely compelling use case that has prevented them from blocking this?
replies(6): >>20028568 #>>20028760 #>>20029313 #>>20029331 #>>20032073 #>>20036758 #
mjlee ◴[28 May 19 12:25 UTC] No.20029331[source]
There are a fair number of applications that expose a UI with a local web server. I use the Ubiquiti Controller, but it's also quite common in the world of Plex, etc. It's also a path used for local OIDC, such as with the gcloud CLI.
replies(1): >>20029377 #
mehrdadn ◴[28 May 19 12:31 UTC] No.20029377[source]
> expose a UI with a local web server

I'm not talking about UIs hosted on local web servers being able to send requests to themselves, I'm talking about UIs hosted on REMOTE web servers being able to send requests to local ones. It seems far worse than a random cross-origin request to me and for the life of me I can't imagine uses cases.

replies(2): >>20029984 #>>20030184 #
1. penagwin ◴[28 May 19 13:53 UTC] No.20029984[source]
While I think it would be a shame to completely disable the ability for remote sites to access localhost (I'm sure it can be useful somehow), it would make far more sense to be opt-in for those cases.

Maybe browsers should assume a CORS deny all unless otherwise specified?