[whatwg/fetch] Reverse HTTP for CSRF/XSS-proofing of localhost webservers (Issue #1685) from Soni L. on 2023-07-13 (public-webapps-github@w3.org from July 2023)

From: Soni L. <notifications@github.com>
Date: Thu, 13 Jul 2023 16:21:52 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1685@github.com>

Sometimes you want a localhost webserver. Instead of exposing it to anything that may run in a browser, and thus be forced to worry about CSRF, XSS, and all that good stuff, what if you just... didn't?

What if you could have your localhost webserver and not have to do all of that?

The only reason those are a concern is because arbitrary websites can connect *to* the localhost webserver. The obvious solution is to prevent that. The actual approach to prevent that is not as obvious, however, but it'd probably be called "Reverse HTTP" of some sort.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1685
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1685@github.com>

Received on Thursday, 13 July 2023 23:21:57 UTC