Crossing security domains

Posted Jun 11, 2025 15:39 UTC (Wed) by farnz (subscriber, #17727)
In reply to: How to do local services safely by fraetor
Parent article: Covert web-to-app tracking via localhost on Android

The underlying problem here is that you're silently crossing security domains. You think you're accessing https://news-site.example.com/, but you're actually accessing both https://news-site.example.com/ and something on localhost (in the case of Yandex, a HTTPS listener, in the case of Meta, a STUN listener).

I'd therefore guess that you could restrict this sort of exploit without completely prohibiting access to local services in a similar way to the way that you can't use file:/// URLs in a document served over HTTPS. You'd have rules that say things like "if you fetched the top-level document over loopback, then you can also connect to services over loopback. Otherwise, traffic over loopback interfaces is blocked"; then, if I set up the DNS label my-service.example.com to point to a loopback address, and I have my app listen to loopback, you can go to https://my-service.example.com/ and have access to loopback services, but if you instead navigated to https://new-customer.example.com/ (connecting over the network to my webserver), you'd have no access to loopback services, even if you accessed them via the name my-service.example.com.

This would let a legitimate app serve up a web page locally that you could use to access loopback services, but would prohibit me from doing so from a remote site; I'd have to set up a local proxy, and have the browser UI show that you're accessing something like https://my-service.example.com:12345/proxy/new-customer.example.com/site/etc

You're still not fully protected, but it at least stops malicious actors doing this stealthily.