|
|
Log in / Subscribe / Register

Gaping Security Hole

Gaping Security Hole

Posted Apr 21, 2026 17:31 UTC (Tue) by zwol (guest, #126152)
In reply to: Gaping Security Hole by clugstj
Parent article: Firefox 150 released

Indeed, it always was a bad idea! There were reports of active exploitation of this misfeature almost twenty years ago.

<https://bugzilla.mozilla.org/show_bug.cgi?id=354493> and <https://wicg.github.io/local-network-access/> have the gory details of why this took so long to fix; apparently it's harder than you'd think to draw a clear distinction between private and global IP space, and also there are a lot of home gadget manufacturers that relied on the misfeature to let people configure their gadgets via the manufacturer's website.

to post comments

Gaping Security Hole

Posted Apr 21, 2026 20:16 UTC (Tue) by iabervon (subscriber, #722) [Link] (1 responses)

The other case I know of is allowing local applications to authenticate to remote services by going through browser-based authentication to get the necessary token. The local application presents an HTTP interface on localhost in order to interact with the browser, and it and the authentication site do the appropriate non-same-site handoffs, but that means the authentication site has to redirect back to the local application's HTTP interface.

It seems likely to me that the local application (as well as things like printers) ought to be able to tell the browser when linking to a remote site that the particular remote site ought to be permitted to link back.

Gaping Security Hole

Posted Apr 21, 2026 21:37 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

Pretty much all these kinds of flows now use polling. The CLI application just polls the server periodically (or uses long polling, or HTTP2 events, or whatever) instead of waiting for the browser's local callback.

Gaping Security Hole

Posted Apr 22, 2026 8:14 UTC (Wed) by cortana (subscriber, #24596) [Link]

If my quick reading of the spec is correct, it seems that browsers will assume that private IP address space is 'local' and public space is 'public'. There are networks where this does not hold. I hope browsers will allow the configuration of a list of CIDR ranges to be considered 'local' in addition to the defaults.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds