Aaaand this is why we need to deny access to internal IP addresses from the web. Maybe that can be my 2016 windmill.
­Mathias Karlsson @avlidienbrunn
26 Dec 2015
What's the fastest way to port scan 127.0.0.1 from HTML/JS? Currently I have an unsatisfied 7 minutes for 1-65535 #js #fastest #portscan
6
12
1
36
@justinschuh: Enough to require a preflight + non-wildcard ACAO for all web->RFC1918 requests? @BRIAN_____ @fugueish @ericlaw @frgx @imelven
2
@mikewest @justinschuh @fugueish @ericlaw @frgx @imelven If it's truly local, the latency should be very low.
1
1
I slapped mikewest.github.io/cors-rfc1… together this morning. WDYT, @BRIAN_____ @justinschuh @fugueish @ericlaw @frgx @imelven @sleevi_ @dveditz?
5
3
Replying to @mikewest
@mikewest It's probably covered, but is DNS rebinding a concern? Also, what happens if attacker emails .hrml doc that local loads attack?

Dec 27, 2015 · 1:11 PM UTC

3
Replying to @bilcorry
@bilcorry: I believe rebinding is covered, but not explicitly. I’ll add it and @sleevi_ will hopefully tell me whether the approach is sane.
Replying to @bilcorry
@bilcorry: `file://` needs some thought. The proposal doesn’t address that attack, and it seems pretty distinct.
Replying to @bilcorry
@bilcorry: I’ve been slowly working on locking down `file://` for a while now. Held back a bit by WebView, which relies omit heavily.