Right... And that's only blocked in the host asks for it via CORS, or Same-Origi... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

		shakna 10 days ago \| parent \| context \| favorite \| on: One-Click RCE in Asus's Preinstalled Driver Softwa... Right... And that's only blocked in the host asks for it via CORS, or Same-Origin policies. Because otherwise you break any combination of apps. It's up to the server on the localhost not to blindly trust. And has been since the beginning.

thwaysec 10 days ago [–]

Might have been there since the beginning, but doesn't make it less surprising or bad. That's a _ridiculously_ bad thing to allow. Any website to talk with just about ANY port on your local machine. Incredible.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact