Hacker News new | past | comments | ask | show | jobs | submit login

> The following options exists but were not included because they are not mature enough.

> Web broswer communicating with a Rust local server: too much hacky, insecure? (DNS rebinding attacks) and does not support native features like tray icons.

You should not discount this, Golang solutions like lorca [0] do just fine with this using devtools proto for comm (systray can be a separate lib). DNS rebinding attacks are just a host header check away from mitigated. At the least, check out webview [1] (and its in-dev successor impl [2]) for not requiring Chrome and having more direct control.

Also, you should look at CEF which ships with Chromium bundled (it's not too huge) and has a C-FFI easily consumable from Rust. I have used this approach with success.

0 - https://github.com/zserge/lorca 1 - https://github.com/zserge/webview 2 - https://github.com/zserge/webview/tree/webview-x




Isnt the only way to defend against dns rebinding to add authentication to your local server?


For these localhost-only servers, a simple check on Host is fine. E.g. if you're on 127.0.0.1:3000, checking that Host is strictly 127.0.0.1:3000 or localhost:3000 is good enough.


Doesnt dns rebinding trick your browser into thinking this is indeed your host?


DNS rebinding involves changing your host's really-low-TTL A record to 127.0.0.1 (or other internal IP), and then on next request the browser will then assume that's what the host is and make call to that new IP assuming same-origin...but it sets the Host header as what the browser thinks represents that IP. If it's not localhost or 127.0.0.1 (for this use case) then we know someone tricked into thinking it was theirs that was our local IP. So check the Host to make sure it isn't someone else's host "re-bound" to your IP.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: