Awaiting feedback User bug report

  • New Wordpress Plug-In Forum
    Guest:

    Just a note that we have a new forum to contain discussions relating to the Wordpress plug-in which Daniel Persson originated and has been making great progress on. You'll find it under "Server-Side Solutions."

    /Steve.

Jason L.

Member
Feb 2, 2019
14
0
I believe this was a test site that used to not work. Glad you was finally able to update it and get it working. I did have to disable HTTPS Everywhere and Allow Localhost via uBlock Origin on the test site to get the Anti-Spoof Protection to work. The site works fine now. I only created a username; no password.

Speaking of Localhost, is it safe to globally allow it; rather than allow it for specific sites? Is there a way Localhost can be abused on a malicious site?
 

PHolder

Well-known member
May 19, 2018
918
124
Is there a way Localhost can be abused on a malicious site?
Well, localhost is the PC you're using. If you have apps running on that PC that are listening for connections, then it could be possible for malicious Javascript to attempt to open connections to those apps. If you're concerned about bad actors, I would err on the side of safety, and block anything you don't know you need.
 

Jason L.

Member
Feb 2, 2019
14
0
Well, localhost is the PC you're using. If you have apps running on that PC that are listening for connections, then it could be possible for malicious Javascript to attempt to open connections to those apps. If you're concerned about bad actors, I would err on the side of safety, and block anything you don't know you need.
Thanks for the quick response. I decided to go back to my original configuration of allowing localhost on a per-site basis. I just have to remember that if I get the No Spoof Protection warning to make sure I allow localhost and I may have to disable HTTPS Everywhere for the site also; assuming the site is setup properly. I do seem to recall a SQRL test server that was giving the warning even though localhost was allowed and HTTPS Everywhere was disabled. I even tried the site on a different browser and still got the warning. I do not remember the url
 
Thanks for the quick response. I decided to go back to my original configuration of allowing localhost on a per-site basis. I just have to remember that if I get the No Spoof Protection warning to make sure I allow localhost and I may have to disable HTTPS Everywhere for the site also; assuming the site is setup properly. I do seem to recall a SQRL test server that was giving the warning even though localhost was allowed and HTTPS Everywhere was disabled. I even tried the site on a different browser and still got the warning. I do not remember the url

TDLR; Your configuration is right when you have chosen to block localhost globally. The spoof warning is only a warning if you trust the site then it's ok it's only there to make you think. Your not alone I have this issue to but sites should still work without the anti-spoof been able to work just be careful

A per-site basis is a grate day to do it the spoof warning if for cases where the SQRL client was unable to get a direct connection to the browser. If it was able to it would send the CPS flag.

What your setup is doing is stopping a image request to localhost:25519 which is used by sites to wake the SQRL client up or determine if you have one locally then a well created site would redirect you to localhost:25519/{A base64 encoded version of the SQRL link} this allows the client to directly redirect the browser when it's identified you.

By it been block you are effectively doing the same process as a cross device login.

The HTTPS everywhere issue is probably the worst part as it will probably effect alot of people I get this issue on my work pc as corporate policy in my browser enforce this and I can't turn it off.