Wouldn't the same origin policy prevent requests to localhost?

You might be thinking of preventing Javascript on host X from sending XMLHttpRequests to host Y. That will not prevent Javascript on host X from adding a form to the web page and having it post to host Y with arbitrary content, or from having an IMG tag on host X attempt to load (via a GET) a URL on host Y (assuming someone finds a pathway that works via GET requests for these or related vulnerabilities).

afaik you can't use cross site requests to exploit either the xml bug or the json bug without also exploiting a browser or plugin bug. both issues depend on setting a request header and you are not allowed to do this in the browser security model. but it sucks that CSRF bug becomes RCE bug :(

>but it sucks that CSRF bug becomes RCE bug :( you just said it - it cant be exploited via CSRF. Because you cannot set header.

NO EXPLOIT FOR LOCALHOST:3000 calm down

i actually lied :) there is #from_xml so if you were doing Hash.from_xml(params[:trololol]) or Post.from_xml(params[:lols]) then you would be vulnerable to localhost:3000 attack. but I don't think there is generic attack it would have to be application specific.

you still needto bypass CSRF protection which is on by default

Yet.

You can dynamically create an iframe in JavaScript and do a regular form post to localhost:3000 thorough it.

how u gonna set content-type?

Sorry, it was meant to be a bit of fun and I wasn't expecting it to get on HN front page (developer).

How dare you have fun on your website. Hacker News users are super serious, busy, important startup people. You've just disrupted my zen flow for my super productive day.

You should read my new blog post and buy it as an ebook (DRM free!) titled "Seven Effective Secrets You Didn't Know About To Not Let Things Disrupt Your Zen Flow For Your Super Productive Day (And Five You'd Forgotten!)". It's even got a forward by someone who had read a Wikipedia article about Alan Kay!

It's available on my website (shameless plug) at www.bltzrg-app.me

My start-up already pivoted into the personal productivity blog posting space, so you are out of luck.

You will be getting a letter from our lawyers shortly. Our stealth startup has been quietly developing a product for the personal productivity blog post space for the last 2 years. Some of the guys who invested in Facebook invested in us at a $999,999 valuation. We've yet to make a profit, but I'm sure we will one day! Did I mention it's also a responsive desktop/mobile hybrid app built using Meteor, Haskell and the Go programming language?

You are out of luck. Now if you'll excuse me I've got some Ruby on Rails code to write and a blog post hating on PHP and applauding Node.JS and NoSQL.

FYI, you will convert 37% better if you change your call-to-action wording to "You should visit my website at www.bltrg-app.me".

You forgot to mention "cognitive context switching."

At the current price miners are producing $140,000 worth of bitcoins per day, I expect most of these miners will be looking to cash out and the ones that don't need to at least cover electricity costs etc. $100,000+ new investment per day probably won't be sustainable for long and hence the price will have to correct itself.