Closed Bug 976872 Opened 9 years ago Closed 7 months ago

Should remote -> localhost CORS access be allowed?

Categories

(Core :: Networking, defect, P3)

30 Branch
x86_64
Windows 7
defect

Tracking

()

RESOLVED DUPLICATE of bug 1481298

People

(Reporter: nicholas, Unassigned)

Details

(Whiteboard: [necko-backlog])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36

Steps to reproduce:

For example (I don't have something functioning, this is an overview of how it works):

* Setup a local web server such that cannot be accessed remotely. It responds with Access-Control-Allow-Origin: * for everything.
* Load up a remote web app, say app.nczonline.net.
* Inside of the web app, make an Ajax request to http://localhost:1234/resource




Actual results:

Works perfectly well.


Expected results:

There's nothing in the CORS spec that says it shouldn't work, and so it does. The question I had is if this was an oversight (and therefore a bad idea to take advantage of) or a supported feature of CORS (in which case it's safe to assume it's not going away in the future).
It seems to me that we should treat http://localHost the same way we treat file://, and that we want to treat rfc1918 addresses. I.e. we should forbid any network connections using things like <img>, <script>, CORS or even <a href> from "the normal web" to localHost, file:// and rfc1918 addresses.
How about requests to 127.0.0.1? Or local etc/hosts DNS that point to 127.0.0.1?
Component: Untriaged → Networking
Product: Firefox → Core
(In reply to nicholas from comment #2)
> How about requests to 127.0.0.1? Or local etc/hosts DNS that point to
> 127.0.0.1?

I think jonas is saying anything rooted in public web space shouldn't be allowed to access private space (including 127.0.0.1 whether that is resolved from "localhost" or not)..

things rooted in private space need to be able to access more private space things. (i.e. running your own localhost server to get documents with localhost/10.x references needs to be fine)
Whiteboard: [necko-backlog]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Status: UNCONFIRMED → RESOLVED
Closed: 7 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: private-network-access
You need to log in before you can comment on or make changes to this bug.