Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow specific localhost resources to be accessible by all websites. #30181

Open
MicahZoltu opened this issue May 6, 2023 · 3 comments
Open

Allow specific localhost resources to be accessible by all websites. #30181

MicahZoltu opened this issue May 6, 2023 · 3 comments
Labels
OS/Desktop privacy/localhost-permission

Comments

@MicahZoltu
Copy link

Description

Support for permissioned access to localhost was added in brave/brave-core#17321, but by default sites cannot request this permission. They must first be manually added to a whitelist, and at that point the website can request access to all localhost resources.

Sometimes there are locally available resources that one would like all websites to be able to access. In particular, local resources that facilitate a more decentralized web like IPFS or Ethereum. There should be a way for users to add a specific localhost resource (port) such that any website can request permission to access just that resource. For example, you might add localhost:8080 (IPFS default port) and localhost:8545 (Ethereum default HTTP port) with a label (IPFS and Ethereum respectively) and any website would be able request access to Local IPFS or request access to Local Ethereum the same way they request access to camera/mic.

Generally speaking, I think there are very few situations where there is a good reason to allow a website to port scan the local machine, but I can imagine a number of reasons (integrating with desktop services) where access to a very specific port is quite reasonable for any website that wants to integrate with it.

Note: Opening this per request from @ShivanKaul over in #27346 (comment). I didn't see an option for opening a feature request, let me know if this is the wrong place.
@MicahZoltu MicahZoltu mentioned this issue May 6, 2023
Closed
@ShivanKaul
Copy link
Collaborator

There is a way to say "allow requests to localhost resources by all websites", but not "allow requests to this particular localhost port by any/all websites".

image

@ShivanKaul
Copy link
Collaborator

It might be useful for this permission to key off of the localhost port as well as the embedding origin.

@MicahZoltu
Copy link
Author

I think it is also important to allow the "labeling" of ports. I can imagine in the future there being a way for external applications to add/suggest entries into this list (e.g., when you install a desktop app that exposes a localhost bound port) and being able to label it would make it so when a permission request occurs for a specific port Brave would tell the user the name rather than the number.

For example, "www.some-website.com wants to access IPFS from your computer, allow/deny" vs "www.some-website.com wants to access port 8080 from your computer, allow/deny". This would be similar to the labeling of microphones/cameras rather than "USB device #3".

@ShivanKaul ShivanKaul mentioned this issue Jul 17, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
OS/Desktop privacy/localhost-permission
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MicahZoltu @ShivanKaul