[1] MIX: Block private resources from public resources. · d635094 · w3c/webappsec ( ( 版)) https://github.com/w3c/webappsec/commit/d635094f4e6f6a27fd565f63c9570858de27172b
[2] Issue 378566 - chromium - Block sub-resource loads from the web to private networks and localhost - An open-source project to help move the web forward. - Google Project Hosting ( 版) https://code.google.com/p/chromium/issues/detail?id=378566
[3] CORS and RFC1918 ( 版) https://mikewest.github.io/cors-rfc1918/
[4] Limiting requests from the internet to the intranet. (Mike West 著, 版) https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0000.html
[5] Issue 378566 - chromium - Block sub-resource loads from the web to private networks and localhost - An open-source project to help move the web forward. - Google Project Hosting ( 版) https://code.google.com/p/chromium/issues/detail?id=378566
[6] Issue 693 - google-security-research - TrendMicro node.js HTTP server listening on localhost can execute commands - Google Security Research - Google Project Hosting ( 版) https://code.google.com/p/google-security-research/issues/detail?id=693
[7] [MIX] Carveout for `127.0.0.1`? (Mike West 著, 版) https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0044.html
Tavis Ormandy reported a common DNS misconfiguration that can result in a minor security issue with web applications.
"It's a common and sensible practice to install records of the form "localhost. IN A 127.0.0.1" into nameserver configurations, bizarrely however, administrators often mistakenly drop the trailing dot, introducing an interesting variation of Cross-Site Scripting (XSS) I call Same-Site Scripting. The missing dot indicates that the record is not fully qualified, and thus queries of the form "localhost.example.com" are resolved. While superficially this may appear to be harmless, it does in fact allow an attacker to cheat the RFC2109 (HTTP State Management Mechanism) same origin restrictions, and therefore hijack state management data."
Like many names in the security field, this is a bit of a misnomer. It's not really the same site that's performing the xss attack. It's the same domain, but the site happens to be the local machine, not the website in question. This is also not an xss/JavaScript injection issue, but a DNS misconfiguration that bypasses the same domain policy and allows non-injected JavaScript from the local host to run in the context of pages served by the misconfigured domain.
It would have been more accurate to name it something like 'Same-Domain Policy Bypass via DNS Misconfiguration', but that's not nearly as sexy.
* Disclosure of internal IP addresses (RFC 1918) are reported
* Domains susceptible to [same site scripting](http://snipurl.com/etbcv) are reported
Initial analysis shows that some of the worlds most popular websites are
affected. The administrators of the example domains listed below were
sent a draft of this email 7 days before release, so some (or all) may
have been corrected, these examples are simply intended to demonstrate
how widespread this problem is.
localhost.microsoft.com has address 127.0.0.1
localhost.ebay.com has address 127.0.0.1
localhost.yahoo.com has address 127.0.0.1
localhost.fbi.gov has address 127.0.0.1
localhost.citibank.com has address 127.0.0.1
localhost.cisco.com has address 127.0.0.1
etc.
[13] GitHub - WICG/private-network-access, https://github.com/WICG/private-network-access