←back to thread

I can see your local web servers

(http.jameshfisher.com)
652 points jamesfisher | 1 comments | 28 May 19 07:57 UTC | HN request time: 1.131s | source
Show context
lostjohnny ◴[28 May 19 09:15 UTC] No.20028455[source]
Nope, you can't

    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)
Anyway

    TypeError: /(192\.168\.[0-9]+\.)[0-9]+/.exec(...) is null i-can-see-your-local-web-servers:169:41
replies(3): >>20028659 #>>20029606 #>>20029927 #
tlrobinson ◴[28 May 19 13:47 UTC] No.20029927[source]
The post specifically mentions CORS and shows an example Express app that has CORS enabled.
replies(1): >>20030552 #
lostjohnny ◴[28 May 19 14:40 UTC] No.20030552[source]
CORS is not enabled by default anywhere, I have few servers running right now on my laptop and the page can't see any of them, because all of them have CORS disabled

First thing you do when you enable CORS is to configure it to only respond to specific domains, so when you deploy to production you don't leave it open by accident.

BTW if you enable CORS as in 'simple usage' in the docs, chances are the home page is a blank page and there will be nothing to be stolen

replies(1): >>20037206 #
1. rewq4321 ◴[29 May 19 06:00 UTC] No.20037206[source]
Recently I was testing a client-side algorithm that pulled a lot of data from the server and I thought my http server might have been the bottleneck, and so I spun up a few copies of the server but had to enable cors to get the client talking to them all. Newbs like me don't realise that localhost+cors = exposed to the www, so this article was very surprising and useful. This app is only used internally and so your deployment justification doesn't make sense for this case, but I will definitely make sure only specific domains are exempted in the future, thanks to this article.