← Back to context

Comment by Spivak

2 days ago

This doesn't actually seem that bad to me? Browsers don't let random pages on the internet hit localhost without prompting you anymore so it's not like a random website could RCE you unless you're running an old browser—and at that point that's the browser's fault for letting web pages out of the sandbox. You shouldn't have to protect localhost from getting hit with random public websites.

The rest is just code running as your user can talk to code running as your user. I don't really consider this to be a security boundary. If I can run arbitrary code by hitting a URL I accept that any program running as me can as well. Going above and beyond is praiseworthy (good for you turning on SELinux as an example) but I don't expect it by default.

3 comments

Spivak

Reply
CyberShadow  2 days ago

> Browsers don't let random pages on the internet hit localhost without prompting you anymore

No, that's a Chrome-specific feature that Google added. It is not part of any standard, and does not exist in other browsers (e.g. Safari and Firefox).

> The rest is just code running as your user can talk to code running as your user

No, that assumes that there is only a single user on the machine, and there are either no forms of isolation or that all forms of isolation also use private network namespaces, which has not been how daemons are isolated in UNIX or by systemd. For example, if you were to ever run OpenCode as root, any local process can trivially gain root as well.

  • Spivak  2 days ago

    Huh? I have this permission in Firefox right now. It looks like Safari handles this with the OS local network permission.

    True I did assume machines are single user, I haven't seen a shared computer in ages. Doing local development I have insecure/incomplete software listening on localhost all the time while developing it. And lots of people have passwordless sudo, or unprivileged access to the docker socket so protection against local processes running as me is not part of my threat model. And I know this is pretty dev centric but OpenCode is dev centric as well.

    • CyberShadow  2 days ago

      Are you on macOS? That might be a feature specific to that OS, I don't think Firefox does that on other OSes.