OP was suggesting that a website you were visiting was accessing this URL via Ja... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

allendoerfer on Jan 18, 2020 | parent | context | favorite | on: HTTP static server one-liners

OP was suggesting that a website you were visiting was accessing this URL via JavaScript and posting it to OP's server.

minitech on Jan 18, 2020 [–]

Same-origin policy prevents that specific attack, although the same idea exists if you’re not protected from DNS rebinding on localhost, and `--bind 127.0.0.1` (or some other way to block the port) is necessary – but the Pythons’ built-in HTTP servers aren’t vulnerable to path traversal anyway.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact