Does Meteor have anything that prevents webpages you are currently visiting from listening in to the localhost Meteor websocket connection? Seems to be a hot topic on Hacker News and there is a good article about it.
Wouldn’t they show up as a separate client/session, so wouldn’t get the same info as an authenticated DDP session?
Could be an issue when developing with autopublish if you used sensitive data in development
As for restricting ws to localhost, I tend to do some debugging over the network so I can test different environments, so either connect to an ip address or local mdns name, so I would want an escape hatch so I could keep doing so when I need to
I tried this with several test apps (including autopublish/insecure) but no connections found. I think we should at least investigate if there is a successfull portscan with a dev environment and then make this a priority topic.
I think that’s just because the proof of concept site only checks for known Webpack / HMR sockets and ports. Meteor puts sockets on a different path under