undefined | Better HN

0 pointszrobotics6y ago0 comments

I'm curious, what would be a good reason to do this? I'm not creative enough to think of anything this enables a site to do that isn't malicious. If I'm running a service on localhost, and that service needs to communicate with the site I'm browsing, surely I could just direct that service to communicate with the site itself.

For instance, if I'm running a local chat application and need it to communicate with the web version, why does the website need to be able to port scan to accomplish this? I can think of other ways to accomplish this that are a lot more secure.

0 comments

8 comments · 5 top-level

tlb6y ago· 3 in thread

Ubiquiti routers have a fairly magical browser SPA that can run on their domain and talk to local routers. It involves webrtc connections to local addresses.

But I think if same-origin were enforced more strictly, they could have found another way.

Macha6y ago

Huh, I never looked but always assumed this was proxying through the controller.

tlb6y ago

It does this most of the time, either through the cloud or direct to the controller. But during setup of the first device on a network it does something direct from the browser to get it connected to the cloud.

SmallPeePeeMan6y ago

How is this different than the admin page for any other router brand? (SPA does not seem relevant to this discussion)

chrisshroba6y ago

I'm not defending this use case, but one example I can think of is that Spotify runs a local server so that websites you access can control it, e.g. if you are on Billboard looking at top music charts, clicking on a song could start the song in Spotify, and even embed a player in the web browser, without you needing to be signed into Spotify in your browser.

Here's an interesting tangential article about how they get around obstacles with SSL certs for localhost: https://letsencrypt.org/docs/certificates-for-localhost/

efokschaner6y ago

This might be banks trying to detect compromised users. Many "tech support" scams aim to get remote desktop access to users PC's and then have them log in to their bank while scammers are connected. I could see how banks looking for remote access software could be a useful heuristic in fighting this problem.

AnIdiotOnTheNet6y ago

Synology uses it to find your unconfigured device on the network for first time setup.

codezero6y ago

Here's my hypothesis: it's to detect bots.

Your bot is running a redis server locally, it allows local connections, because it's just a bot, boom.

Taking it a bit further, if we have really smart people involved: the timing of the attempted connections/rejections tell you something about the system that you can use to detect bots/scrapers.

Another example of this being used in the past is to scan for chrome extensions that scrape site content as well. I believe LinkedIn might have gotten hit hard for trying something similar but they were using extension URLs not localhost. Some extensions do spin up localhost services though.

j / k navigate · click thread line to collapse