|
|
|
|
|
|
by CodesInChaos
2785 days ago
|
|
|
What you really need is a shared secret between (embedded) browser and (local) server. IP, host header, origin header can be checked as defense in depth, but can't prevent local privilege escalation from non browser clients and are quite fragile even in browsers. (or use a secure non TCP/IP based communication channel) |
|
|
That is such a different threat model though. A native app has a lot more permissions than a web page. Trying to protect one native app from another is not really done much. Like, are MS Word documents encrypted so Slack can't read them from disk?