This is a pattern. Mozilla and others are furthering the interests of gatekeepers under the pretext of 'end user security'. The browser community have been scaremongering against self signed certs for years now and yet are happily handing 'authority' to shady projects in the middle east. What does one make of that?
Because of this obsession with 'central authority' even local ajax calls to 127.0.0.1 and localhost are blocked by Mozilla. What is even worse is they are doing this intentionally inspite of the standards explicitly not requiring this for localhost or 127.0.0.1 and are misleading users on bug reports and wasting their time. [1][2][3]
Some have wasted days mucking about with cors headers and ssl only to realize this is a Firefox only issue. Even Chrome which is not shy about furthering gatekeepers and their own interests doesn't do this. Needless to say this is not a problem on any other browser.
Reading the bug reports, it seems that Firefox allows access to 127.0.0.1 ports if the originating website is not https. This is weird - I would never want some random site control my local services (including LAN) without getting an explicit permission. This leads to vulnerabilities: https://lwn.net/Articles/703485/
A standard website cannot access your local services. 127.0.0.1 and localhost are local addresses to the server, not the end user system. Private addresses cannot be accessed over the public internet.
This is about a server accessing backend local services on the server or local private network via a SSL terminating reverse proxy etc.
I don't understand a couple of things from this answer.
> 127.0.0.1 and localhost are local addresses to the server, not the end user system.
If localhost is relative to the server, then a browser running on an end user device cannot access it due to unroutable IP in the first place, obviating the problem, which is not the case, seeing that the bug is open in Firefox.
> Private addresses cannot be accessed over the public internet.
That makes sense, the 127.0.0.0/8 space is routed only to localhost.
> a SSL terminating reverse proxy
If the proxy endpoint is on the localhost, it looks the same to the browser as any other local service before a connection attempt. If the proxy cannot certify that it matches the website (using a SSL cert?), then it's indistinguishable from any actual local service, and therefore should not be accessible by default.
EDIT: I genuinely do not understand what those sentences mean in the context of that discussion - they seem to be using terms not in a way I've always seen them used.
The standards explicitly name and allow 127.0.0.1 and localhost. Is there any value in rehashing this?
This works perfectly on Chrome and all other browsers. Its only Firefox which is a problem. So its for Mozilla to explain why they are going against the standards and other browsers.
If Firefox is doing something that's closer to the right thing to do in terms of security, then it's not Firefox that is the problem, but the standard.
It would not be the only Web standard that acts against the users (WebRTC enumeration of IP addresses, canvas fingeprinting, 3rd party cookies, many others come to mind).
One could make the case Firefox is trying to 'protect users' if they resisted or protested any of the user hostile standards you mention, but Firefox has implemented all of them.
It's just this case and this is not 'user hostile'. If they are going their own way there must be transparency, disclosure and reasoning. But in the bug reports they are denying it.
Okay, I'm not saying Firefox is trying to protect the users in this case. Based on [0], they care about following the standard, and they implemented a patch once they saw they were not compliant. About 6 months ago, the bug came back. With a charitable outlook, it looks like a bug they don't give much priority to.
When it comes to the bigger topic of standards, they are meant to increase interoperability. However, there are many ways to interoperability, and they can serve different masters. Seeing how standards are just codified behaviours, they are similar to law, and it's quite clear that law is not always good. Civil disobedience is widely recognized as a valid way to influence laws.
In this light, I would say breaking standards can be a form of civil disobedience, if the standard doesn't serve the regular, disenfranchised person.
> A standard website can not access your local services.
I’ve used https://ziahamza.github.io/webui-aria2/ in the past to manage aria2c with aria2c running on localhost (see https://github.com/ziahamza/webui-aria2/blob/master/README.m... for instructions) and the webui loaded directly from said address. That was a while ago and I don’t know if any browsers still allow access to localhost by default but at least some of them did last time I used that webui at least.
Because of this obsession with 'central authority' even local ajax calls to 127.0.0.1 and localhost are blocked by Mozilla. What is even worse is they are doing this intentionally inspite of the standards explicitly not requiring this for localhost or 127.0.0.1 and are misleading users on bug reports and wasting their time. [1][2][3]
Some have wasted days mucking about with cors headers and ssl only to realize this is a Firefox only issue. Even Chrome which is not shy about furthering gatekeepers and their own interests doesn't do this. Needless to say this is not a problem on any other browser.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=903966
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1440370
[3] https://stackoverflow.com/questions/51269439/why-are-my-requ...