Reverse HTTP for CSRF/XSS-proofing of localhost webservers

[SoniEx2]

Sometimes you want a localhost webserver. Instead of exposing it to anything that may run in a browser, and thus be forced to worry about CSRF, XSS, and all that good stuff, what if you just... didn't?

What if you could have your localhost webserver and not have to do all of that?

The only reason those are a concern is because arbitrary websites can connect to the localhost webserver. The obvious solution is to prevent that. The actual approach to prevent that is not as obvious, however, but it'd probably be called "Reverse HTTP" of some sort.

[annevk]

https://wicg.github.io/local-network-access/ attempts to solve that. It'll eventually be mostly integrated into Fetch.

[SoniEx2]

That's neat, but considering the CSP changes we feel like maybe something with an uniquely allocated, opaque origin would be more appropriate?

Like, that's the real benefit of reverse HTTP: you prevent other connections altogether. And localhost webservers don't need to be able to fetch eachother - they can use standard system-level IPC instead.

(But reverse HTTP does only cover localhost...)

[annevk]

I'm not sure what CSP has to do with it?

[SoniEx2]

this prevents further connections without preflight: https://wicg.github.io/private-network-access/#csp

but it doesn't make a fully isolated sandbox. you can still accept requests from public websites.

(we do appreciate that it blocks navigation by default tho. that's really nice to see.)

[avioligo]

Hey guys, I have wrote about this topic and I have a live demo on https://ports.sh to scan ports over HTTP, you need to have to surf using http://. https:// will scan only https ports.