It's crazy to me that this has always been the default behavior for web browsers. A public website being able to silently access your entire filesystem would be an absurd security hole. Yet all local network services are considered fair game for XHR, and security is left to the server itself. If you are developer and run your company's webapp on your dev machine for testing (with loose or non-existent security defaults), facebook.com or google.com or literally anyone else could be accessing it right now. Heck think of everything people deploy unauthed on their home network because they trust their router's firewall. Does every one of them have the correct CORS configuration?
I majored in CS and I had no idea that was possible: public websites you access have access to your local network. I have to take time to process this. Beside what is suggested in the post, are there any ways to limit this abusive access?
There are no mechanisms in browsers yet. Best you can do is using the OS to forbid your whole browser to access your local network. (And use another browser only for your local network.) Ask ChatGPT for methods to sandbox your browser.
What’s even crazier is that nobody learned this lesson and new protocols are created with the same systematic vulnerabilities.
Talking about MCP agents if that’s not obvious.
> Does every one of them have the correct CORS configuration?
I would guess it's closer to 0% than 0.1%.
The local server has to send Access-Control-Allow-Origin: * for this to work, right?
Are there any common local web servers or services that use that as the default? Not that it’s not concerning, just wondering.
No, simple requests [1] - such as a GET request, or a POST request with text/plain Content-Type - don't trigger a CORS preflight. The request is made, and the browser may block the requesting JS code from seeing the response if the necessary CORS response header is missing. But by that point the request had already been made. So if your local service has a GET endpoint like http://localhost:8080/launch_rockets, or a POST endpoint, that doesn't strictly validate the body Content-Type, then any website can trigger it.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/COR...
I was thinking in terms of response exfiltration, but yeah, better put that /launch_rockets endpoint behind some auth.