If my PoC hosted on https://mallory.csrf.jp/ios/localhostbypass.html correctly works you can see same alert window that shows the DOM contents of Mozilla Hacks.
Definitely should make sure these are all covered. https://www.psyon.org/tools/ip_address_converter.php?ip=127.0.0.1
Thanks, please consider IPv6 addresses as well.
Comment on attachment 8763978 [details] [review] Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1922 Looks good, but is that the full fix? or do we also need bug 1281204 to cover this?
Attachment #8763978 - Flags: review?(sarentz) → review+
This should fix this particular exploit. Bug 1281204 is useful for preventing similar bugs if we're doing unsafe things anywhere else.
master: https://github.com/mozilla/firefox-ios/commit/aca7219802d5cae539ac1b5ea5ce761965c3ad9e v5.x: daf1152
You need to log in before you can comment on or make changes to this bug.