Comment by CyberShadow
2 days ago
> Browsers don't let random pages on the internet hit localhost without prompting you anymore
No, that's a Chrome-specific feature that Google added. It is not part of any standard, and does not exist in other browsers (e.g. Safari and Firefox).
> The rest is just code running as your user can talk to code running as your user
No, that assumes that there is only a single user on the machine, and there are either no forms of isolation or that all forms of isolation also use private network namespaces, which has not been how daemons are isolated in UNIX or by systemd. For example, if you were to ever run OpenCode as root, any local process can trivially gain root as well.
Huh? I have this permission in Firefox right now. It looks like Safari handles this with the OS local network permission.
True I did assume machines are single user, I haven't seen a shared computer in ages. Doing local development I have insecure/incomplete software listening on localhost all the time while developing it. And lots of people have passwordless sudo, or unprivileged access to the docker socket so protection against local processes running as me is not part of my threat model. And I know this is pretty dev centric but OpenCode is dev centric as well.
Are you on macOS? That might be a feature specific to that OS, I don't think Firefox does that on other OSes.