daviddias
commented
7 years ago @dsvi that intended and is a security protection mechanism to make sure that you can't have access to admin features outside of your local machine :) Hope this clarifies
Closed dsvi closed 7 years ago
daviddias
commented
7 years ago @dsvi that intended and is a security protection mechanism to make sure that you can't have access to admin features outside of your local machine :) Hope this clarifies
dsvi
commented
7 years ago Not really, no. More confuses, than clarifies. So i do have remote access to the json RPC API, through which i get the page and can control the daemon, but through the page itself, i can't control it. What kind of "security" exactly this provides? Does it all holds on the fact that i can't change 'localhost' to any other string in the javascript? It really sounds very silly, to put it mildly. The page itself doesn't have anything to do with security. It's a convenient GUI to the already provided and accessible RPC.
DiagonalArg
commented
6 years ago This issue should still be opened. It is the same as #628, #637 and #594.
DevonJames
commented
6 years ago @diasdavid what specific security concerns would there be if the webui wasn't hardcoded to work with localhost only?
edit: seems like /Config and adding files via /Files would be the concerns. Many of us just want to use /Files to look up info about a file - seems like that functionality could be exposed to work with remote hosts without exposing any vulnerabilities, no?
this may be something we could lend some development cycles to implementing if its the right direction to take things
olizilla
commented
6 years ago
The WebUI, returned by
<IPFS API URL>/webuihas hardcodedlocalhostin it. So it doesn't really work for any other machine thanlocalhostIt should take the API address from the go-ipfs config, not just force it to belocalhost.