Op 03-10-2023 om 22:03 schreef Vivien Kraus: > Hello! > > Le lundi 25 septembre 2023 à 22:46 +0200, Maxime Devos a écrit : >> However, there are also some dangers on doing this >> thing -- the ‘external’ pagehttps://example.com/data.json  could >> redirect to >> http://localhost/unsecured-secret-but-its-localhost-only-so-it-is-safe >> . > Since you want to warn users about this problem, I have to first > understand why it is a problem at all. Your example literally ends with > "so it is safe", and I fail to see why it would be a problem. Could you > elaborate? The 'so-it-is-safe' is ironic, as in, ‘so-naively-you-might-have-thought-it-was-safe-but-it-isnt'.. More concretely, here is how things could be used for a data exfiltration attack: Let's say that user U has a local web server (localhost), on which passwords are saved. Furthermore, let's say that U locally runs software that periodically downloads https://secretly-evil-or-compromised.com/page and uploads a copy to https://somewhere-public.org. (For example, maybe U wants to know how secretly-evil-or-compromised.com/page evolves over time, and shares the results with other people.) The attacker, who controls secretly-evil-or-compromised.com, adjusts the server to redirect https://secretly-evil-or-compromised.com/page to http://localhost/passwords. Now, next time the software is run, the software notices the redirect https://secretly-evil-or-compromised.com/page -> http://localhost/passwords, so it naively follows the redirect and now the passwords are copied to a public web page that the attackers can access, even though supposedly the passwords were localhost-only! For another attack, see . Best practices against this are two-fold: * redirections are not followed across ‘scopes’ (e.g., global internet website -> localhost website is forbidden). This can be quite complex, but at least some cases are handled by Firefox, IIRC. In case of browsers, there are also XSS prevention things etc.. The best prevention is not allowing redirects at all or only allowing redirections that keep the hostname intact -- while an option for much software, it isn't an option for web browsers. * web servers don't rely on being not directly inaccessible from the network for security, instead, they also require things like cookies, logins, not-technically-a-cookie-but-?secret=something-long. Best regards, Maxime.