Closed Bug 976872 Opened 9 years ago Closed 1 year ago

Should remote -> localhost CORS access be allowed?


(Core :: Networking, defect, P3)

30 Branch
Windows 7





(Reporter: nicholas, Unassigned)


(Whiteboard: [necko-backlog])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36

Steps to reproduce:

For example (I don't have something functioning, this is an overview of how it works):

* Setup a local web server such that cannot be accessed remotely. It responds with Access-Control-Allow-Origin: * for everything.
* Load up a remote web app, say
* Inside of the web app, make an Ajax request to http://localhost:1234/resource

Actual results:

Works perfectly well.

Expected results:

There's nothing in the CORS spec that says it shouldn't work, and so it does. The question I had is if this was an oversight (and therefore a bad idea to take advantage of) or a supported feature of CORS (in which case it's safe to assume it's not going away in the future).
It seems to me that we should treat http://localHost the same way we treat file://, and that we want to treat rfc1918 addresses. I.e. we should forbid any network connections using things like <img>, <script>, CORS or even <a href> from "the normal web" to localHost, file:// and rfc1918 addresses.
How about requests to Or local etc/hosts DNS that point to
Component: Untriaged → Networking
Product: Firefox → Core
(In reply to nicholas from comment #2)
> How about requests to Or local etc/hosts DNS that point to

I think jonas is saying anything rooted in public web space shouldn't be allowed to access private space (including whether that is resolved from "localhost" or not)..

things rooted in private space need to be able to access more private space things. (i.e. running your own localhost server to get documents with localhost/10.x references needs to be fine)
Whiteboard: [necko-backlog]
Bulk change to priority:
Priority: -- → P1
Bulk change to priority:
Priority: P1 → P3
Closed: 1 year ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.