| ▲ | brians 2 hours ago | |
I think any browser will allow it but not allow data read back. | ||
| ▲ | btown an hour ago | parent | next [-] | |
FWIW this was the status quo (webpage could ping arbitrary ports but not read data, even with CORS protections) - but it is changing. This is partially in response to https://localmess.github.io/ where Meta and Yandex pixel JS in websites would ping a localhost server run by their Android apps as a workaround to third-party cookie limits. Chrome 142 launched a permission dialog: https://developer.chrome.com/blog/local-network-access Edge 140 followed suit: https://support.microsoft.com/en-us/topic/control-a-website-... And Firefox is in progress as well, though I couldn't find a clear announcement about rollout status: https://fosdem.org/2026/schedule/event/QCSKWL-firefox-local-... So things are getting better! But there was a scarily long time where a rogue JS script could try to blindly poke at localhost servers with crafty payloads, hoping to find a common vulnerability and gain RCE or trigger exfiltration of data via other channels. I wouldn't be surprised if this had been used in the wild. | ||
| ▲ | airza an hour ago | parent | prev | next [-] | |
There is a CORS preflight check for POST requests that don't use form-encoding. It would be somewhat surprising if these weren't using JSON (though it wouldn't be that surprising if they were parsing submitted JSON instead of actually checking the MIME-type which would probably be bad anwyay) | ||
| ▲ | mememememememo 2 hours ago | parent | prev [-] | |
Isn't there a CORS preflight check for this? In most cases. I guess you could fashion an OG form to post form fields. But openai is probably a JSON body only. The default scenario should be secure. If the local site sends permissive CORS headers bets may be off. I would need to check but https->http may be a blocker too even in that case. Unless the attack site is http. | ||