← Back to context Comment by josephcsible 5 days ago Why don't all browsers, desktop and mobile, just block all cross-origin access to localhost? 4 comments josephcsible Reply easterncalculus 5 days ago For one I think it would break all those "update your BIOS via your motherboard website" apps that probably shouldn't exist anyways.There probably are some legitimate uses, but I'm straining to come up with them. arunkant 5 days ago Maybe just ask for confirmation dwaite 4 days ago There's effort to define standard behavior here. See https://wicg.github.io/private-network-access/ (although I suspect this document may make a significant shift soon) chedabob 5 days ago I thought they did for resources and JS, which is why Meta have to use WebRTC instead?I think the Yandex one slips through because CORS does a naive check against just what's in the header, not what it resolves to?
easterncalculus 5 days ago For one I think it would break all those "update your BIOS via your motherboard website" apps that probably shouldn't exist anyways.There probably are some legitimate uses, but I'm straining to come up with them. arunkant 5 days ago Maybe just ask for confirmation
dwaite 4 days ago There's effort to define standard behavior here. See https://wicg.github.io/private-network-access/ (although I suspect this document may make a significant shift soon)
chedabob 5 days ago I thought they did for resources and JS, which is why Meta have to use WebRTC instead?I think the Yandex one slips through because CORS does a naive check against just what's in the header, not what it resolves to?
For one I think it would break all those "update your BIOS via your motherboard website" apps that probably shouldn't exist anyways.
There probably are some legitimate uses, but I'm straining to come up with them.
Maybe just ask for confirmation
There's effort to define standard behavior here. See https://wicg.github.io/private-network-access/ (although I suspect this document may make a significant shift soon)
I thought they did for resources and JS, which is why Meta have to use WebRTC instead?
I think the Yandex one slips through because CORS does a naive check against just what's in the header, not what it resolves to?