Closed
Bug 976872
Opened 9 years ago
Closed 1 year ago
Should remote -> localhost CORS access be allowed?
Categories
(Core :: Networking, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1481298
People
(Reporter: nicholas, Unassigned)
Details
(Whiteboard: [necko-backlog])
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36 Steps to reproduce: For example (I don't have something functioning, this is an overview of how it works): * Setup a local web server such that cannot be accessed remotely. It responds with Access-Control-Allow-Origin: * for everything. * Load up a remote web app, say app.nczonline.net. * Inside of the web app, make an Ajax request to http://localhost:1234/resource Actual results: Works perfectly well. Expected results: There's nothing in the CORS spec that says it shouldn't work, and so it does. The question I had is if this was an oversight (and therefore a bad idea to take advantage of) or a supported feature of CORS (in which case it's safe to assume it's not going away in the future).
It seems to me that we should treat http://localHost the same way we treat file://, and that we want to treat rfc1918 addresses. I.e. we should forbid any network connections using things like <img>, <script>, CORS or even <a href> from "the normal web" to localHost, file:// and rfc1918 addresses.
How about requests to 127.0.0.1? Or local etc/hosts DNS that point to 127.0.0.1?
|
||
Updated•9 years ago
|
Component: Untriaged → Networking
Product: Firefox → Core
|
||
Comment 3•9 years ago
|
||
(In reply to nicholas from comment #2) > How about requests to 127.0.0.1? Or local etc/hosts DNS that point to > 127.0.0.1? I think jonas is saying anything rooted in public web space shouldn't be allowed to access private space (including 127.0.0.1 whether that is resolved from "localhost" or not).. things rooted in private space need to be able to access more private space things. (i.e. running your own localhost server to get documents with localhost/10.x references needs to be fine)
|
|
||
Updated•7 years ago
|
Whiteboard: [necko-backlog]
|
||
Comment 4•6 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
|
|
||
Comment 5•6 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
|
||
Comment 6•4 years ago
|
||
Related: CORS-RFC1918 https://wicg.github.io/cors-rfc1918/
|
||
Updated•1 year ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•