- From: Gabriel Corona <notifications@github.com>
- Date: Mon, 27 Nov 2023 06:50:13 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/577/1827983298@github.com>
> http://host.example.com.uds.localhost/path/to/socket//path/to/resource
What you absolutely don't want is the ability for any web server in the wild to use your browser to issue arbitrary HTTP requests to arbitrary Unix sockets.
It is already quite difficult for people to grasp the notion that LAN-only services and localhost-ony services can be attacked by remote web servers (CSRF, DNS rebinding attacks to LAN services or localhost-services). If a web browser, were to allow arbitrary websites to issue HTTP request to arbitrary UNIX sockets, this would open up a wide range of attack opportunity (eg. using DNS rebinding attacks to attack UNIX-socket bound Docker servers) including attacks based on protocol-confusion.
If you wanted such a feature to be mostly safe, you would have to actively opt-in :
* either by having the user actively map a Unix-socket into a HTTP domain;
* or by having a default location for UNIX sockets which wants to be mapped to a domain name / URI (eg. /run/user/{pid}/published/80/XXX → http://XXX).
Firefox currently allows to use a SOCKS proxy over UNIX socket (including multiple suchs proxies when using FoxyProxy). It would be possible to write a 'SOCKS with UNIX socket" → UNIX socket bridge.
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/577#issuecomment-1827983298
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/url/issues/577/1827983298@github.com>
Received on Monday, 27 November 2023 14:50:19 UTC