Consider adding blocking rules "from web to localhost" to default to improve security

Question

Consider adding blocking rules "from web to localhost" to default to improve security

Remu-rin opened this issue 7 years ago · comments

Example case: https://lock.cmpxchg8b.com/utorrent-crash-test.html (background: https://bugs.chromium.org/p/project-zero/issues/detail?id=1524)
Page uses img src attribute to make requests to localhost and this goes through uMatrix default settings (* * image allow). Tested on Firefox and Chrome. Now I added to my rules:

* 127.0.0.1 * block
* localhost * block
* my-LAN-IP * block
127.0.0.1 127.0.0.1 * inherit
localhost localhost * inherit
my-LAN-IP my-LAN-IP * inherit

But maybe 127.0.0.1 and localhost rules are good enough for default? This would make silent attacks like above harder, but won't break services that are running on localhost and intentionally visited by user in the browser (on localhost:port and 127.0.0.1:port). Or there are legitimate cases when remote web page needs to request localhost?

Thorin-Oakenpants · Answer 1 · Sun Feb 25 2018 09:00:14 GMT+0800 (China Standard Time)

FYI: see https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.3-uMatrix .. namely IPv6 and 192.168

Remu-rin · Answer 2 · Sun Feb 25 2018 09:53:12 GMT+0800 (China Standard Time)

@Thorin-Oakenpants Thanks, these short versions are very handy, didn't knew uM can accept rules like this. Blocking whole ranges is great.
Also strict blocking is not working for those rules when there is * 1st-party * allow, so no need for inherit rules quoted above.