Comment by thayne
5 days ago
It seems to me like a non-localhost site making requests to localhost, or a link-local address should require a permission granted by the user.
5 days ago
It seems to me like a non-localhost site making requests to localhost, or a link-local address should require a permission granted by the user.
On MacOS and probably iOS it does. You get a popup that the application wants to access other devices on the network. Unfortunately it's not really clear to the user what this means and if the app is asking it for legitimate reasons or for spyware.
I have seen this pop-up many times, and not once has it been for a legitimate reason. Every site worked just fine without the permission.
It’s not a meaningful permission. Even if they know what “localhost” means, most users have no idea which servers are running on localhost on each of their devices, so they don’t know the risks.
This needs to be higher level: “can website A connect to app B?”
> Even if they know what “localhost” means, most users have no idea which servers are running on localhost on each of their devices, so they don’t know the risks.
It could be worded as something like "connect to applications running on your device". And yeah, users probably don't know what things that might be, but that is why it is a scary permission, and almost all websites don't need it, and if you really do need it, you should be able to explain to the user why you need to talk to a local process, and you probably also need the user to install specific software.
> This needs to be higher level: “can website A connect to app B?”
Unfortunately, on at least some OSes, this isn't really possible. You don't connect to an app, you connect to a port, and there isn't always a way to know what is on the other side. Especially if this is something on your local network, not localhost. You could ask about a specific host/port combination, but most users won't have any idea what that means.
Seriously, what's even the point of having firewalls or NAT if you're going to let any external website just start opening up arbitrary connections to localhost? Is something embedded on the page for foobar.com any more trust worthy than a random IP trying to open a connection?