← Back to context Comment by josephcsible 2 months ago Why don't all browsers, desktop and mobile, just block all cross-origin access to localhost? 4 comments josephcsible Reply easterncalculus 2 months ago For one I think it would break all those "update your BIOS via your motherboard website" apps that probably shouldn't exist anyways.There probably are some legitimate uses, but I'm straining to come up with them. arunkant 2 months ago Maybe just ask for confirmation dwaite 2 months ago There's effort to define standard behavior here. See https://wicg.github.io/private-network-access/ (although I suspect this document may make a significant shift soon) chedabob 2 months ago I thought they did for resources and JS, which is why Meta have to use WebRTC instead?I think the Yandex one slips through because CORS does a naive check against just what's in the header, not what it resolves to?
easterncalculus 2 months ago For one I think it would break all those "update your BIOS via your motherboard website" apps that probably shouldn't exist anyways.There probably are some legitimate uses, but I'm straining to come up with them. arunkant 2 months ago Maybe just ask for confirmation
dwaite 2 months ago There's effort to define standard behavior here. See https://wicg.github.io/private-network-access/ (although I suspect this document may make a significant shift soon)
chedabob 2 months ago I thought they did for resources and JS, which is why Meta have to use WebRTC instead?I think the Yandex one slips through because CORS does a naive check against just what's in the header, not what it resolves to?
For one I think it would break all those "update your BIOS via your motherboard website" apps that probably shouldn't exist anyways.
There probably are some legitimate uses, but I'm straining to come up with them.
Maybe just ask for confirmation
There's effort to define standard behavior here. See https://wicg.github.io/private-network-access/ (although I suspect this document may make a significant shift soon)
I thought they did for resources and JS, which is why Meta have to use WebRTC instead?
I think the Yandex one slips through because CORS does a naive check against just what's in the header, not what it resolves to?