[ekimekim]

This is ridiculous. Not that I'm defending Transmission on their slowness here, but this is fundamentally a chrome issue. Websites being able to access services running on localhost is a security vulnerability, a sandbox escape. People assume restricting incoming connections to localhost means that only localhost can connect, because that is exactly what that is MEANT to do. I don't think it's reasonable for every service in the world to now assume the loopback interface is hostile because browsers can't get their act together.

[benchaney]

Agreed. Javascript's security model is broken if it allows this. It is just that simple. Blaming services that trust localhost is delusional.

[tinus_hn]

True, but the DNS rebinding attack is real and invalidates a lot of assumptions.

[ekimekim]

Then shouldn't it be fixed? Again, this is a chrome bug.

[tinus_hn]

It would be shortsighted to simply call this a Chrome bug.

You can use this attack to make the browser communicate with somebody else’s computer. If that computer happens to give the user privileges because of his IP address, for instance because he is in the same home or because he is on localhost, the attacker can then use these privileges.

One could imagine Chrome blocking this attack with respect to localhost but blocking connections to machines on the home network is farfetched.

And note that it’s not just web services, the browser can start general tcp connections.