Network interactions, security

[meejah]

Hello,

This is a very interesting project!

I'm trying to understand the network interactions involved (and possible security considerations) when running desktop applications. For now, I am personally just interested in "desktop" applications (immediately, on Linux but if there are substantial differences to Windows or iOS that'd be good to know too :).

e.g. when I run examples from Python I see a fletd running locally and I can interact with it via some simple telnet Web requests. Is there a threat-model or document describing how this works? Could another program running locally as me interfere with a desktop flet UI? (Could a malicious Web page make localhost requests and similarly interfere, after getting the correct port?)

Thanks for any pointers!

[FeodorFitsner]

Yeah, there is a web server (Fletd) running and by default listening on all computer IP addresses. There are two kinds of clients that can connect to that web server: 1) host client - Python program and 2) web client - user's web browser or anything else on the internet. See this diagram for a visualization: https://flet.dev/docs/guides/python/mobile-support#flet-approach

Both host and web clients are connecting via WebSocket protocol. By default, Fletd does not allow "remote" host clients, i.e. Python program controlling the UI must be coming from 127.0.0.1 or ::1 IPs.

If you are not planning to expose Flet app as a web app you can make Fletd listen on 127.0.0.1 only by running the app as:

flet.app(target=main, host="127.0.0.1")

Let me know if you have any questions.

[meejah]

Great, thanks for the explanation.

I'm only immediately concerned about desktop applications -- so in that diagram, that means there's no "flet client" in the desktop case? Or does it mean there is one (but of course it's on localhost too)?

It sounds like the answer to my question is "yes, another local program can make requests to that daemon". Could a Web page make XHR requests to "localhost"? (I don't currently see CORS headers).

Is there any way to ensure that only the very program the user started will be able to contact Fletd? Which program is actually showing things on the screen, is that feltd or the Python program the user started?

Consider an application where the Python program is storing secret data locally (e.g. encryption keys). I'm trying to understand what another malicious (local) program can accomplish. Can it show dialogs etc "as" the Flutter program?