- From: Kevin Cox <notifications@github.com>
- Date: Sun, 10 Dec 2023 16:39:59 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/577/1849153424@github.com>
While you have a good point it is sort of a shame to block UNIX sockets due to this. The same problems exist for local services, LAN servers (like routers) and even cloud VM metadata servers are open to vulnerabilities due to this. Really every redirect target should be carefully considered, and every DNS lookup should have the resulting IP treated with scrutiny. Unfortunately that isn't the world that we live in, developers are careless and many (most?)popular HTTP libraries don't even expose the primitives to do this. I am not aware of even a single library that prevents this by default. In practice things like `Origin` headers and CORS are used to ensure that requests are coming from the right place and not tricked redirections. These hacks have worked OK, and particularly vulnerable services like browsers are more strict (such as preventing public sites from accessing your router's web UI in most cases). However while this vulnerability is not specific to UNIX sockets it is maybe wise to avoid adding more surfaces that can be accessed via this common issue. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/577#issuecomment-1849153424 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/577/1849153424@github.com>
Received on Monday, 11 December 2023 00:40:05 UTC