(http.jameshfisher.com)

652 points jamesfisher | 1 comments | 28 May 19 07:57 UTC | HN request time: 0.243s | source

Show context

lostjohnny ◴[28 May 19 09:15 UTC] No.20028455[source]▶

>>20028108 (OP) #

Nope, you can't

    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)

Anyway

    TypeError: /(192\.168\.[0-9]+\.)[0-9]+/.exec(...) is null i-can-see-your-local-web-servers:169:41

replies(3): >>20028659 #>>20029606 #>>20029927 #

chronial ◴[28 May 19 10:04 UTC] No.20028659[source]▶

>>20028455 #

The Cross-Origin check be circumvented via DNS Rebinding: When you request mypage.com, my DNS returns the ip of my webserver. On all subsequent requests, it will return 127.0.0.1. Now localhost is on the same origin as my page.

replies(2): >>20028841 #>>20034436 #

1. X-Istence ◴[28 May 19 21:08 UTC] No.20034436[source]▶

>>20028659 #

This is the reason why my local DNS resolver won't allow returning private IP space (including localhost).

↑

I can see your local web servers