On 1/16/23 12:31, Björn Persson wrote:
> Robert Marcano via devel wrote:
>> The admin can implement CUPS
>> authentication but an ipp://localhost:60000 open port entirely open to
>> anyone on the local machine to submit print jobs directly bypassing CUPS.
>
> In that case it's also accessible to all the untrusted Javascript junk
> that regularly runs in the user's browser. Because IPP is built on HTTP,
> a Javascript program can tell the browser to send an IPP request. What
> has been done to secure those "virtual printer devices" against DNS
> rebinding attacks?
>
https://en.wikipedia.org/wiki/DNS_rebinding
I'll ask IPP-USB upstream about it, stay tuned.