←back to thread

I can see your local web servers

(http.jameshfisher.com)
652 points jamesfisher | 3 comments | 28 May 19 07:57 UTC | HN request time: 0.205s | source
Show context
gambler ◴[28 May 19 15:59 UTC] No.20031394[source]
When will software engineers finally understand that issues like these aren't problems with some random service you run on your computer, but with the (lack of) security model behind modern web browsing?
replies(1): >>20031835 #
kyle-rb ◴[28 May 19 16:44 UTC] No.20031835[source]
Modern web browsing provides for this with same-origin policy. Same-origin policy can be negated by the server if it sets an overly lax CORS directive.

So this is something that's secure by default, but can be broken if the "random service you run on your computer" decides to break it. I don't think that's an issue with the browser's security model.

replies(1): >>20033082 #
gambler ◴[28 May 19 18:47 UTC] No.20033082[source]
Same-origin policy is not a security model. It's a ridiculous quarter century old hack. If you pause to think about it, domain names are a horrible way to delineate security boundaries on the web.
replies(1): >>20033762 #
kyle-rb ◴[28 May 19 19:58 UTC] No.20033762[source]
I disagree about domain names, but I don't think that's even relevant to this discussion.

Do you have some kind of security model in mind that would work better than same-origin policy in this case? I.e. cross-origin requests are still allowed to happen somehow, but users are still protected against random services intentionally disabling your security measures?

replies(1): >>20035011 #
1. gambler ◴[28 May 19 22:22 UTC] No.20035011[source]
It is bloody obvious that when people spin something up on their local machines the do not intend to make those pages available to every website they visit. This by itself suggests that there should be a dedicated security context for such applications and that the restriction on information exchange should be based on that context. Not on some random thing the application does (like authentication, CSRF or sending CORS headers).

Scenarios like that should be the foundation of a sensible security model, not an afterthought achieved by applying layers and layers of security ducktape in every single instance.

replies(2): >>20035202 #>>20036550 #
2. kyle-rb ◴[28 May 19 22:53 UTC] No.20035202[source]
>Not on some random thing the application does (like authentication, CSRF or sending CORS headers).

Sending CORS headers isn't "some random thing" though, it's specifically the one thing that stops the security model that's in place from working.

There's a lot of bad security practices that you could define as "some random thing", and the fact that some people might do that thing doesn't make the whole model around it invalid.

3. brlewis ◴[29 May 19 03:08 UTC] No.20036550[source]
>an afterthought achieved by applying layers and layers of security ducktape

This is where you're missing the fundamental nature of the issue in this article. The sensible security model is there by default. An additional layer is added to make a resource available cross-origin, and the article merely serves to remind people that making a resource available cross-origin is still making it available cross-origin when the origin is localhost.