Localhost regex implementation edge case for CORS bypass.

[t0xodile]

I've come across apps that, as mentioned in the cheat sheet, trust https://localhost. However, when I've come across this, the implementation is sometimes flawed and "https://localhost.attacker-domain.com" will also work. Perhaps this is covered enough by the examples? But maybe worth an add?

[d0ge]

Thank you very much for your contribution to the URL validation bypass cheat sheet. Interestingly, when I tested this case, the server more often trusted the unencrypted connection, which confirms that the code checks if the string starts with http://localhost. May I ask you to send me your handle on X.com (formerly Twitter.com)? Alternatively, I can use a link to your profile on GitHub if that’s more convenient for you.

Cheers!

[t0xodile]

Hej! Sure thing, its the same as here -> https://x.com/t0xodile Sounds much more legit that it trusts http for localhost to be honest. But I've definitely seen the behavior I described in the wild. I guess its a double-layer of badly implemented origin validation...