|
|
|
|
|
|
by CyberShadow
160 days ago
|
|
|
> Browsers don't let random pages on the internet hit localhost without prompting you anymore No, that's a Chrome-specific feature that Google added. It is not part of any standard, and does not exist in other browsers (e.g. Safari and Firefox). > The rest is just code running as your user can talk to code running as your user No, that assumes that there is only a single user on the machine, and there are either no forms of isolation or that all forms of isolation also use private network namespaces, which has not been how daemons are isolated in UNIX or by systemd. For example, if you were to ever run OpenCode as root, any local process can trivially gain root as well. |
|
|
True I did assume machines are single user, I haven't seen a shared computer in ages. Doing local development I have insecure/incomplete software listening on localhost all the time while developing it. And lots of people have passwordless sudo, or unprivileged access to the docker socket so protection against local processes running as me is not part of my threat model. And I know this is pretty dev centric but OpenCode is dev centric as well.