webui-aria2 is a tool that allows controlling aria2 (powerful download tool) through rpc methods from a browser.
Using http://ziahamza.github.io/webui-aria2/, one can control aria2, provided the application is launched with the --enable-rpc option. aria2 basically starts an HTTP server listening on localhost:6800.
Great but I am surprised that the browser (both webkit and gecko) allows a page hosted on github.io to make requests to localhost. How come it does? Isn’t this a serious vulnerability?
Requests to localhost from github.io will be treated like any other cross origin request.
JavaScript embedded on the site can't read the data across origins unless either:
Presumably the server uses one of those techniques.