4

Is there any plan to allow Edge and EPM IE to communicate over loopback, or some other way for a webapp to communicate with a native app?

I'm working on a product where we would like a webapp to be able to communicate with a native app running on the same machine. We currently have a mechanism where the native app runs a webserver listening on loopback and the webapp makes CORS requests to this webserver. This mechanism works in most browsers except for EPM IE and Edge, where loopback communication is disabled (see "Loopback-blocked" in this MSDN post).

The answer to this SO post suggested that there might be changes to this, but it sounded like that would only be for development/debugging, not for production. It would be great if someone could confirm that.

Related to this, Chromium announced similar plans to block loopback/local network access in the bug Block sub-resource loads from the web to private networks and localhost. However, there seemed to be quite an outcry and it sounded like they wouldn't implement a change without having a replacement mechanism in place.

Ideally we'd prefer a solution that didn't require proxying through our server because of the extra latency and complexity that would introduce.

Community
  • 1
  • 1
Jeremy Spiegel
  • 111
  • 7

2 Answers2

0

Per the link in that same SO question, a future update will include the ability to enable localhost loopback support in about:flags.

Ryan Joy
  • 3,021
  • 19
  • 20
  • Yes, I could ask my users to do that, and I could also run the `CheckNetIsolation LoopbackExempt -a -n=Microsoft.Windows.Spartan_cw5n1h2txyewy` command in my native app's installer, but it seems strange for me to change the security profile of all of Edge in order for my app to work. – Jeremy Spiegel Jun 29 '15 at 16:34
  • The reason it's a global thing is that this localhost loopback is a way for a browser to communicate with a native-code application very freely. If a bad native program were installed, then it could do harm on its own, but it's still an unnecessary attack vector to leave open. I would guess it's been involved in a number of exploits over the years that have been patchable, but generally suggest it's a risky area. – Katana314 Jul 01 '15 at 03:28
0

The FAQ at http://dev.modern.ie/platform/faq/how-can-i-debug-localhost/ changed recently:

Microsoft Edge allows localhost access by default starting with Windows 10 build 10166+. This can be disabled via "about:flags".

So that fixes it at least for the Edge browser.

Jeremy Spiegel
  • 111
  • 7