Christopher Allan Webber

Christopher Allan Webber at

Thinking about adding a localhost-only HTTP API or line-based protocol to your project? Probably not a good idea, because you can use DNS rebinding to get at/mutate that data, or whatever execution stuff is possible, through the developer's own browser.

James Dearing 🐲 likes this.

Iñaki Arenaza, Iñaki Arenaza shared this.

Show all 6 replies

(I'll bet that TAILS uses Diane's unbound suggestion to solve this, right? But unless the tor browser bundle includes its own dns resolver, I think it probably doesn't.)

joeyh at 2016-09-01T21:17:49Z

It feels to me like using named pipes in the cases where you might use an unauthenticated port over localhost would be pretty frequently much, much better.

Christopher Allan Webber at 2016-09-01T21:38:21Z

Looks like they run a local resolver, and they do block some of the private IPs. Its unclear if it blocks though.

Diane Trout at 2016-09-01T21:42:34Z

I soooooooo agree! And the current “do everything in the browser” thing need to go out the window too.

Freemor at 2016-09-02T00:32:41Z