Localhost security


PHolder

Well-known member
May 19, 2018
1,170
190
I was just poking around in the "experiments" tab of Chrome to enable an unrelated feature (about crypto-jacking prevention) when I came across:
chrome://flags/#allow-insecure-localhost

I wonder what dangers this opens if enabled. I know that one of the complaints about the link between client and javascript was related to the difficulty of doing HTTPS correctly on a localhost connection (though not strictly needed as we all know.)
 

AlanD

Well-known member
May 20, 2018
121
22
Rutland, UK
I thought the localhost connection was insecure, i.e. http not https, but the fact that it was within the same machine meant that this was not an issue.
 

PHolder

Well-known member
May 19, 2018
1,170
190
Yes, but this setting could allow it to be secure (well HTTPS) as well. I forget the reasons why that would have helped in the past... probably something about mixed content warnings.
 

shanedk

Well-known member
May 20, 2018
419
112
I really don't understand the point of this feature. All they have to do is turn off the mixed-mode warning when the insecure resource is on localhost. They were supposed to do this a whole bunch of versions ago, but apparently it only applies to certain cases.
 

Dror Harari

Member
Aug 10, 2019
24
5
I wonder what dangers this opens if enabled.
I know that many programs run local servers as means of portable inter-process communication binding to the loopback address 127.0.0.1 under the assumption it cannot be reached from outside of the machine. Letting browsers communicate with localhost (other than if you put it in the URL) may let web based entities try to do mischief in the background).