Don't listen to 0.0.0.0 by default for security reasons. (#22077)

A developer might start emrun without thinking about the --hostname setting. So he might expose sensible data on the webserver to the LAN or to the Internet. It might even happen, that a vulnerable Emsdk version becomes publicly reachable. Instead use localhost (127.0.0.1) by default, which is usually sufficient for development.
emscripten-core · Sep 27, 2024 · 5ef6a5a · 5ef6a5a
1 parent f508b43
commit 5ef6a5a
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/emrun.py b/emrun.py
@@ -84,9 +84,9 @@
 processname_killed_atexit = ""
 
 # Using "0.0.0.0" means "all interfaces", which should allow connecting to this
-# server via LAN addresses. Using "localhost" should allow only connecting from
-# local computer.
-default_webserver_hostname = '0.0.0.0'
+# server via LAN or public Internet addresses, which might be a security risk.
+# Using "localhost" should allow only connecting from local computer.
+default_webserver_hostname = 'localhost'
 
 # If user does not specify a --port parameter, this port is used to launch the
 # server.