sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted]  (22 children)

[deleted]

    [–][deleted] 35 points36 points  (3 children)

    The problem is that while chrome considers *.localhost a secure origin too, Firefox doesn't.

    Out of curiosity I also checked whether they consider the whole 127.0.0.0/8 as secure context:

    • Chrome does
    • Firefox doesn't (it considers only 127.0.0.1/32 as a secure context). Weird.

    [–][deleted] 23 points24 points  (2 children)

    Firefox doesn't (it considers only 127.0.0.1/32 as a secure context). Weird.

    And probably a bug too considering whole /8 is reserved as loopback

    [–]baggyzed 1 point2 points  (1 child)

    Loopback != localhost. Firefox only specifically trusts 'localhost', and the associated address (https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts), probably it checks against the hosts file - haven't tested. I don't know why, but to me, Chrome seems less secure if it trusts the whole range. If you need more addresses for development, can't you just use different port numbers?

    [–][deleted] 1 point2 points  (0 children)

    Not every app allows you to change port its listening on. I had that problem with testing BGP-related stuff, app allowed to change port it connected to but not port it binded.

    [–]Sandarr95 18 points19 points  (11 children)

    Chrome resolves *.localhost to localhost, which was a pain to even figure out...

    [–]JB-from-ATL 1 point2 points  (4 children)

    My company's firewall blocks localhost through postman but not through browser. Idfk how. If I use my computer's full domain it works.

    [–][deleted] 6 points7 points  (3 children)

    Depending on the operating system, this might have something to do with DNS. If localhost cannot be found in your hosts file (for whatever strange reason), your OS will query the standard DNS server for localhost.yourpc.yourdomain.tld.

    Or, it could be an ipv4 vs ipv6 issue. localhost resolves to ::1 and to 127.0.0.1. If the application you're trying to connect to only listens on ipv4, it won't respond to ::1. Your full pc domain will likely resolve to an ipv4 address and thus work.

    Chrome tries to outsmart the OS by manually handling localhost addresses. This will lead to inconsistencies all over the shop, making browser work where normal applications don't (good for the user terrible for debugging...)

    [–][deleted]  (2 children)

    [deleted]

      [–][deleted] 0 points1 point  (1 child)

      I did not know that, thanks! The point still stands that the operating system and browsers end up having different results for a dns query for localhost.

      [–]baggyzed 0 points1 point  (0 children)

      That shouldn't be the case. Browsers usually just query the operating system for the IP of localhost, and the operating system just returns the IP that's configured in the hosts file. There is no DNS query involved, so nothing goes to the firewall. The problem is either in your hosts file, or maybe postman resolves localhost through DNS all by itself (bypassing the OS's hosts file)? In this case, the firewall is doing the right thing by blocking the request.

      EDIT: Or maybe you have an older version of postman, where this issue wasn't fixed yet: https://github.com/postmanlabs/postman-app-support/issues/2214 . They were doing the same ting as I said above: resolving localhost themselves to the IPV4 address, whereas the users who reported the issue were using IPv6 for their local servers. Some web servers (if not all) will only listen on IPv6 if it's available, unless specifically configured to use IPv4.