New issue
Advanced search Search tips

Issue 912553 link

Starred by 3 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Chromium Ignores PAC Script for localhost

Reported by shubham....@gmail.com, Dec 6

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36

Steps to reproduce the problem:
1. Have a rule in PAC script for localhost. Eg
```
function FindProxyForURL(url, host) {
   if (isPlainHostName(host)) {
        return "PROXY 127.0.0.1:5010";           
    }

    return DIRECT;
```

2. Load a localhost URL

What is the expected behavior?
The URL should be loaded through the proxy.

What went wrong?
It is loaded directly. 

Did this work before? Yes 70.0

Does this work in other browsers? Yes

Chrome version: 71.0.3578.80  Channel: stable
OS Version: OS X 10.14.1
Flash Version: 

The change has been introduced via this commit https://chromium.googlesource.com/chromium/src/+/0e2a57db78b2dca463903ab26523fe9ac1798949. 

I had a genuine use case for proxying localhost URLs. I wanted to selectively intercept and mock local API requests.
 
Cc: eroman@chromium.org mmenke@chromium.org
This is now expected, as you point out.  You can use the new rule "<-loopback>", though that only works with proxy bypass rules, not PAC scripts, unfortunately.  The rule was added to address security concerns of remote attackers hijacking localhost requests, which are normally considered secure.  I defer to eroman if we want to add a way to bypass this through local configuration or group policy.
Components: -Blink>Network Internals>Network>Proxy
Forgot to update the component...
If it's to address a security concern, why are PAC scripts being singled out? Someone can just as easily proxy traffic via HTTP/HTTPS proxy settings in the system. 
Proxy rules have to be enabled, and are configured locally, or via group policy - we're also mirroring Window's proxy rule behavior, which doesn't proxy localhost by default, but also has an opt-out.  PAC scripts configured through WPAD or DHCP are enabled by default on Windows, so there's no affirmative signal there that "Yes, this is a trusted script, and should be able to override the behavior for localhost URLs".
Labels: -OS-Mac OS-All
Owner: eroman@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for the report!

Unfortunately this is expected fall-out from the change you correctly identified in comment #0.

Following that change, there is no longer a way to choose the proxy for localhost (or link-local) URLs via a PAC script. In this regard, Chrome now behaves like Edge and Safari, which also bypass PAC for localhost

As far as work-arounds for your use-case, there are a few imperfect translations.

(1) Use manual proxy settings rather than a PAC script. Depending on the logic in your PAC file, an exact translation may not be possible:

  --proxy-server="http://127.0.0.1:5010" --proxy-bypass-list="<-loopback>"

(2) Access the URLs via a non-localhost address. This would entail changing the URL that you are navigating from say "http://localhost/" to maybe "http://localhost.test". You could then remap "localhost.test" to resolving to 127.0.0.1 globally (/etc/hosts), or just in Chrome with:

  --host-resolver-rules='MAP localhost.test 127.0.0.1'

The downside with this approach is that from the perspective of the web platform, http://localhost.test/ will not longer have the extra privileges that http://localhost/ did (http://loclahost/ is considered a secure origin).


If going with option (1), be aware that on macOS you cannot specify <-loopback> in the network preferences (it gets normalized to "loopback>". If you want to specify a localhost bypass via system settings a minimal set of rules you can use instead is: "localhost, 127.0.0.1/8, ::1".



Assigning to me to follow-through as we get more feedback from M71. I don't have any current plans to poke holes in the policy for this use case given it is not a cross-browser idiom, but we could explore a Chrome-only solution if there is a need.
 Issue 913950  has been merged into this issue.

Sign in to add a comment