search

privacytests / privacytests.org

Source code for privacytests.org. Includes browser testing code and site rendering.
https://privacytests.org
MIT License
797 stars 23 forks source link

Some browsers allow any web page to access localhost subresources #134

Open arthuredelstein opened 1 year ago

arthuredelstein commented 1 year ago

What the hell?

uazo commented 1 year ago

some chromium related documents that might interest you

Intent to Experiment: Private Network Access preflight requests for subresources Intent to Deprecate and Remove: Private Network Access requests for subresources without proper preflight response

that's something I was checking out too.

uazo commented 1 year ago

some detail here

Render-initiated navigations to filesystem:// URLs are blocked in top-level frames, but are currently allowed in
iframes. As part of the storage partitioning efforts, we propose to remove support for navigation to 
filesystem:// URLs in iframes. Preventing navigation in third-party contexts would be sufficient for 
our privacy goals, but as usage is almost non-existent, we believe removing support for navigation in 
iframes altogether is the better approach.

source: https://groups.google.com/a/chromium.org/g/blink-dev/c/2V7lIYDkdtI

ShivanKaul commented 1 year ago

With Chromium, the local server has to opt-in to these preflight requests, which doesn't really work if the local server is also malicious.