[Bug] Open web server manipulable by any web page #1
Description
Description
The web server this software exposes is accessible to any web page the user's browsing. Because it disables CORS (see
), any web page can send arbitrary commands to the local model, and then receive responses.Steps to Reproduce
Browse to a web page that has scripts accessing localhost:11434.
Expected Behavior
Scripts cannot interact with my local agent
Actual Behavior
Scripts talk to my local agent, make changes on my behalf, extract my data.
Context
Ollama, OpenClaw, etc. have recently wrestled with similar design flaws. There's a rich library of techniques to prevent this, including using the filesystem to share a token between the client and server, CORS headers restricting the origin to a browser extension or localhost, etc. Happy to chat more about those. This is unsafe for users as written.