| ▲ | b3lvedere 2 days ago |
| "Since looking into it, I noticed that uBlock Origin already has the default list "Block Outsider Intrusion into LAN" but it wasn't enabled." Never knew that this existed. Thank you! |
|
| ▲ | nerflad 2 days ago | parent | next [-] |
| Checking out the initial request on github for this feature I wonder why is this necessary? What access to the local network does the browser provide, or need to provide, and why isn't this something developers are more concerned about? I had a feeling this was possible as I see lots of mdns requests when I connect to certain things running sockets. https://github.com/uBlockOrigin/uAssets/issues/4318 |
| |
| ▲ | dannyw 2 days ago | parent | next [-] | | There are certainly use cases, but whether they’re warranted is a good question. One popular router maker offers a ‘magic URL’ (domain name) that scans your network for the gateway management page, and redirects. It’s not necessary, but it certainly helps novice users. Having worked in IT support, I’ve also purchased hardware devices that have a web management UI; which connects directly instead of proxying through a cloud. Ultimately this is probably one thing that should be behind a permission request (like webcam access), but it’s not a feature without value. | |
| ▲ | lol768 2 days ago | parent | prev [-] | | It's being looked at. https://bugzilla.mozilla.org/show_bug.cgi?id=1481298 | | |
|
|
| ▲ | adastra22 2 days ago | parent | prev | next [-] |
| I’m flabbergasted that this is even allowed. Who thought it was a good idea to allow any web page you visit to access your local network? |
| |
| ▲ | johncolanduoni 2 days ago | parent [-] | | Internal apps on non-private IP addresses occasionally use this. There is a standard called Private Network Access[1] that requires these requests to have preflights like CORS requests. Only Chrome has implemented it so far. [1]: https://wicg.github.io/private-network-access/ | | |
| ▲ | adastra22 2 days ago | parent [-] | | Why though? What is the use case that demands this? It'd better be a real pressing need because the security risks are immense and obvious. This is a backdoor to every network firewall. | | |
| ▲ | johncolanduoni 2 days ago | parent | next [-] | | It’s more that it wasn’t prevented back when the web was first coming together, because security wasn’t on almost anyone’s minds at all. There wasn’t a hole added at some point; it’s just that browsers didn’t specifically block domains that resolve to public IPs from accessing domains that resolve to private IPs. Realistically, it’s a backdoor to every network firewall that has existed for the entire era in which browsers were used in “secured” internal networks also connected to the internet. Everyone has either designed with it in mind, or gotten lucky that nobody tried to use it on them for like 30 years. I think it’s good to put away this footgun, but there’s no useful blame to assign here. | | |
| ▲ | adastra22 a day ago | parent [-] | | i thought it was prevented by standard browser cross-domain security checks. Thats why I'm so surprised. | | |
| ▲ | johncolanduoni 20 hours ago | parent [-] | | Requests that need a CORS preflight will fail with any browser from the last 20 years, yes. The private IP addresses are not any more vulnerable than `www.google.com` is from `www.notgoogle.com` for cross-origin policy (subdomain-sensitive policies have a small extra vulnerability). But you’re right that doing this kind of thing without nefarious intent is an insane edge case and it should be opt-in. People spray `Access-Control-Allow-Origin: *` like it’s DDT in the 50s and half ass security in general when it’s on an intranet, so an extra guardrail is still worth it. |
|
| |
| ▲ | psd1 2 days ago | parent | prev [-] | | I'm hazy on the details, but: Home Assistant has a well-known public name that opens your local instance. On first access, you need to give it the name or ip of your instance, which is saved in browser storage. This supports deep links into your config from forum posts. My mum also had a shitty D-Link wifi mesh device, which was packaged as an appliance. I cannot speak lowly enough about that garbage device, but then, I am not really the target market. iirc it had something similar; a public dns name for local appliance mgmt. | | |
| ▲ | adastra22 a day ago | parent | next [-] | | How is that the same thing? That is a DNS entry that resolves to an internal IP. That lets a user explicitly type a domain and get something internal. That wouldn’t allow cnn.com to ports scan my fridge. | |
| ▲ | b3lvedere a day ago | parent | prev [-] | | I remember Fritzbox devices doing the same. Wasn’t a real problem until someone actually hijacked the fritz.box domain. |
|
|
|
|
|
| ▲ | balamatom 2 days ago | parent | prev | next [-] |
| Massively improved my security posture with this. Thanks all! |
|
| ▲ | buyucu 2 days ago | parent | prev | next [-] |
| Likewise I didn't know it existed, but it was enabled on my laptop and mobile browsers. |
|
| ▲ | dd_xplore 2 days ago | parent | prev [-] |
| Is that available in lite version too? Now that the origin js being phased out |
| |
| ▲ | LarMachinarum 2 days ago | parent | next [-] | | … or you can instead phase out those browsers who try to force blocker restrictions i.e. spyware on you (e.g. chrome and such), and use one of the browsers where you can use the full-featured (not "lite") uBlock Origin instead, e.g. Firefox. | | |
| ▲ | Filligree 2 days ago | parent [-] | | Firefox might be an okay browser, but that would imply supporting Mozilla. I've been meaning to switch to Vivaldi. Just as soon as the onboarding dialog stops crashing. | | |
| ▲ | Rastonbury 2 days ago | parent | next [-] | | I wonder how bad does Mozilla have to be that you have to continue using Chrome without ublock? | | | |
| ▲ | tos1 2 days ago | parent | prev [-] | | I'm curious: What's your reasons for not wanting to support Mozilla? | | |
| ▲ | Filligree 2 days ago | parent [-] | | I disagree with their politics, I'm concerned by the multiple privacy incidents, and I generally refuse to support them until they refocus on Firefox instead of all the other stuff they're doing. If they worked only on Firefox, I'd have nothing against them. As it stands, I can't even donate to Firefox if I want to. |
|
|
| |
| ▲ | daveidol 2 days ago | parent | prev | next [-] | | It’s only being phased out on Chrome, by Google. | | |
| ▲ | ddlsmurf 2 days ago | parent [-] | | Yes, to make us safer, now you enable developer mode and disable signature checking to install it locally, thanks Google | | |
| ▲ | maleldil 2 days ago | parent [-] | | Soon, you won't be able to install it locally because the API it relies on will no longer be available. Use Firefox. | | |
|
| |
| ▲ | nicce 2 days ago | parent | prev | next [-] | | You can't change browser? Or is there something bigger happening? | | |
| ▲ | surajrmal 2 days ago | parent [-] | | Not everyone wants to change browsers. | | |
| ▲ | LarMachinarum 2 days ago | parent [-] | | then again, if the makers of one big browser (and via there also the derived browsers) start force-shoving spyware upon you (by restricting blockers), it comes down to a decision of how you set your priorities. Personally, It's a clear cut red line, but you do you. |
|
| |
| ▲ | bilalq 2 days ago | parent | prev | next [-] | | Just checked, and it seems like it is. Not enabled by default for some reason. | |
| ▲ | buyucu 2 days ago | parent | prev [-] | | It is not being phased out for Firefox. |
|
