Thinking about adding a localhost-only HTTP API or line-based protocol to your project? Probably not a good idea, because you can use DNS rebinding to get at/mutate that data, or whatever execution stuff is possible, through the developer's own browser.
James Dearing 🐲 likes this.
Iñaki Arenaza, Iñaki Arenaza shared this.
Show all 6 replies
(I'll bet that TAILS uses Diane's unbound suggestion to solve this, right? But unless the tor browser bundle includes its own dns resolver, I think it probably doesn't.)
It feels to me like using named pipes in the cases where you might use an unauthenticated port over localhost would be pretty frequently much, much better.
https://tails.boum.org/contribute/design/Tor_enforcement/DNS/
Looks like they run a local resolver, and they do block some of the private IPs. Its unclear if it blocks 127.0.0.0/8 though.
Looks like they run a local resolver, and they do block some of the private IPs. Its unclear if it blocks 127.0.0.0/8 though.
I soooooooo agree! And the current “do everything in the browser” thing need to go out the window too.