Closed turquoiseowl closed 9 years ago
Using http://localhost:*/*
as your allowed master is completely safe as this will never match a live website. Conversely, using just *
is very dangerous as it would allow all (including malicious) websites to make requests to your website on your users behalf.
Hmm, not sure that a locally-hosted website/webapp can't be 'live' (not sure what you mean by that) but thanks for the reply.
A locally hosted website is one made on purpose, so it'll never be the case that your users accidentally find themselves on a localhost domain. Whereas they might accidentally arrive at evilsite.com which matches *.
On Monday, October 6, 2014, Martin Connell notifications@github.com wrote:
Closed #115 https://github.com/jpillora/xdomain/issues/115.
— Reply to this email directly or view it on GitHub https://github.com/jpillora/xdomain/issues/115#event-174247588.
@turquoiseowl "Live" means hosted on a real (remote) domain (i.e. somedomainname.com). http://localhost:portnumber maps to 127.0.0.1:portnumber (on Windows, at least), and is not something can (normally) be accessed by a remote computer.
With you, thanks. With your implementation, is master=* dangerous if the slave endpoint doesn't use cookie authentication?
I've just got xDomain working great, your work is much appreciated here.
My particular use case is a Single Page App (AngularJS) hosted locally that calls out to a remote server. IE8 and IE9 support is required.
I've ended up with the following proxy.html on the slave server and am trying to understand the security implications to the server:
Is that a massive security hole?
Many thanks.