tags:

views:

114

answers:

4
+3  Q: 

Pitfalls of accessing a webserver on 127.0.0.1 from js with a public site

I'm thinking about exploring the idea of having our client software run as a service on a high port and listen for simple http GET requests from 127.0.0.1. The theory is that I would be able to access this service via js from a web page that is served from my site.

1) User installs client software that installs itself as a service and waits for authenticated requests on 127.0.0.1:8080

2) When the user hits my home page js on the page makes an xhtml request to 127.0.0.1:8080 and asks for the status

3) The home page then makes another js request back to my web server sending the status that it received.

This would allow my users to upload/download and edit files on a USB attached device in real-time from a browser. Polling could be the fallback method which is close to what we do today.

Has anyone done this and what potential pitfalls are there? Will this even work?

+3  A: 

I can't see any potential pitfalls. I do have a couple of points however.

1/ You probably want to make sure your service only accepts incoming connection from the local machine (127.0.0.1). Otherwise, anyone could look at your JavaScript and figure out that it's talking to [your-ip]:8080. They could then try that themselves from a remote site (security hole).

2/ I wouldn't use port 8080 as it's commonly used for other things (alternate HTTP servers, etc.). Make it configurable and choose a nice high random-type value.

3/ I'm not sure what you're trying to do with point 3 but I think you're trying to send the status back to the user. In which case, why wouldn't the JavaScript on your home page just get the status in a single session and output/update the HTML to be presented to the user? Your "another js request back to my web server" doesn't make sense to me.

paxdiablo  2008-12-02 03:16:26
1) Excellent point. That's why I mentioned authenticated. It would probably be a security token or even the session ID passed in that the service would verify with the web server.
 2008-12-02 14:51:17
2) Another good point. I only used 8080 as an example. I do see a real problem picking a port that would always work. Since I have to put the port in the js I can't think how a dynamic port would work. Probably have to pick a primary and backup port and try the backup if the primary fails.
 2008-12-02 14:52:33
3) The hardware device the service would talk to has lots of data that the user wants on our servers so they can manipulate it. This proxy service is there to allow a USB device to talk to our web server and the server to talk to the device.
 2008-12-02 14:54:53
+1  A: 

You may not be able to do a xml http request to 127.0.0.1 as XMLHTTPRequest is usually limited to the same domain as the main content is being served from. I'm not sure if this restriction applies if the server is on the client's machine. That being said, you could still create a <script> tag that had the src pointing to 127.0.0.1, and have the web server return some Javascript to run. If you only need a simple response, this could work well.

Kibbee  2008-12-02 03:24:30
That would be a good backup option of the XMLHTTP Request didn't work. Still might be blocked but less likely.
 2008-12-02 14:56:37
A: 

I think it is much better for you to avoid implementation of application logic in JavaScript and html. Once user clicks button on a web page JavaScript should send request to your service and allow it do the rest of the work.

Din  2008-12-02 03:29:00
A: 

You could have problems with step 1 (Client installs itself) depending on your target user base.

  • You will need a customised install for each supported environment (Win2K, Vista, Linux, MAC OS 9.0/10.0 etc.).
  • If your user is on a locked down at work PC this simply wont be allowed.
  • To some users this might look distressingly similar to a trojan unless you explicitly point out you will be installing software that runs as a service.
  • You didnt mention an unistall procedure. Users resent "Adobe" like software which installs itself and provides no sensible un-install options

    • Ohterwise the approach is sound, and, there are are couple of commercial products out there that use exactly this approach!

    James Anderson  2008-12-02 08:23:03
    This is very legit software, nothing even remotely shady. Our customers need to install something if they want their hardware device to work, this would be a more streamlined version than the current one.
     2008-12-02 14:58:11
    No critisim of your software intended. Its just that with the number botnets and phishing attacks innocent installs can be misinterpreted by users. The key is to inform the user up front that you will be installing some software!
    James Anderson  2008-12-05 10:36:25

    related questions

    Encryption in C# Web-Services
    How Do You Secure database.yml?
    ASP.NET LocationProvider
    What do you (or your company) use for wiping a machine?
    Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
    Java: What is the best way to SFTP a file from a server
    How do I call a Flex SWF from a remote domain using Flash (AS3) ?
    Best way to store a database password in a startup script / config file?
    Using VM to get around VPN restrictions
    Best references for secure coding practices in ASP.NET and classic ASP.
    Secure Memory Allocator in C++
    Resolving Session Fixation in JBoss
    Best Practices for securing a REST API / web service
    Defensive programming
    Personal Linux web server
    Block user access to internals of a site using HTTP_REFERER
    Is there an Unobtrusive Captcha for web forms?
    My website got hacked... What should I do?
    What all do I need to escape when sending a (My)SQL query?
    How do you disable browser Autocomplete on web form field / input tag?
    Best .NET obfuscation tools/strategy
    Are there best practices for testing security in an Agile development shop?
    What is the best way to avoid SQL injection attacks?
    Found a critical bug, but the company doesn't care
    PHP Session Security