TL;DR
To proxy localhost
(and related addresses) with newer Firefox
versions (>=67), the preference network.proxy.allow_hijacking_localhost
(accessible through the about:config
page) must be set to true
.
Details on why Mozilla
decided to use specific rules for localhost;
In 2018, Jann Horn reported a major security vulnerability. According to his report, applications that bind a web server to localhost
and then use Host Header checks, to prevent DNS rebinding attacks, should be protected from malicious outside traffic, even if the network itself is malicious. Back then, localhost
was not treated differently in proxying decisions by Firefox
. That meant that an attacker could abuse Web Proxy Auto-Discovery (WPAD) Protocol to gain the ability to serve attacker-controlled content at http://localhost>:*/*
. So the attacker could be able to perform same-origin XMLHttpRequest (XHR) to http://localhost>:*/*
(e.g. by letting the proxy auto-config (PAC) file specify DIRECT
as fallback, if the proxy went down).
In 2019, Mozilla's developers decided to create and "hide" the above mentioned preference in the config page, in order to protect inexperienced users. The fix was finally released with version 67.