Closed Bug 1550502 Opened 6 years ago Closed 6 years ago

Firefox: Websites able to Link to Resources on Local Machines without Warning

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
66 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 354493

People

(Reporter: elliottabarnes, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

Tested with Firefox 66.0.4 on both Windows 7 and Windows 10.

Currently, it appears that the browser will allow any website to redirect to any port combination on a user's local machine (127.0.0.1). This may present a security risk; any website is able to link a user to any port - even though the remote site may not know which local services the user has running, if a link is clicked before the URL is checked a local URL could be accessed. To minimise this, could we maybe consider only allowing links to either 127.0.0.1 or localhost to only be clicked from local servers/web pages? I can directly link to an example URL where I have observed this if required.

Actual results:

I originally came across this when clicking a button from within an online web page, at which point Firefox was redirected to "http://127.0.0.1" and a pre-specified port. If a service had been running on my local machine using that port number, Firefox would have been able to load content stored. This is a problem because if services containing private information are running on a user's machine (including web servers), websites could load a local URL which could result in data leakage.

Expected results:

To increase security, we could either consider only allowing local links to be accessed from either local URLs or local web pages. Alternatively, we could display a warning message - although it may be best to avoid this approach to minimise confusion.

I think this is a well-known aspect of the way the web works today and does not benefit from being hidden as a security bug.

Public discussion includes e.g. https://wicg.github.io/cors-rfc1918/ .

Paul or Johann, can you confirm and if so, unhide?

This is also probably not the right venue to discuss this - it's better had at a web standards group level. Without wanting to be discouraging, there's some prior art here, and it would be good to familiarize yourself with that before making suggestions. Blocking all access today would cause real breakage, and warnings aren't workable either. We'd probably need some mechanism for local services to opt in (cf. as discussed in the RFC).

Flags: needinfo?(ptheriault)
Flags: needinfo?(jhofmann)

This is both a known problem and a "feature" that tons of popular services rely on (dropbox, spotify, zoom, lots of others). Works the same in all browsers and needs spec love. Given the reliance on this we can't unilaterally change anything at least not in practice.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(ptheriault)
Flags: needinfo?(jhofmann)
Resolution: --- → INACTIVE

Unhiding per discussion with Dan. Ultimately bug 354493 is the older version of this request.

Group: firefox-core-security
Resolution: INACTIVE → DUPLICATE
Component: Untriaged → Networking
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.