uMatrix icon indicating copy to clipboard operation
uMatrix copied to clipboard

Published 20 hours ago verified publisher icon gorhill

Consider adding blocking rules "from web to localhost" to default to improve security

Open Remu-rin opened this issue 7 years ago • 2 comments

Example case: https://lock.cmpxchg8b.com/utorrent-crash-test.html (background: https://bugs.chromium.org/p/project-zero/issues/detail?id=1524) Page uses img src attribute to make requests to localhost and this goes through uMatrix default settings (* * image allow). Tested on Firefox and Chrome. Now I added to my rules:

* 127.0.0.1 * block * localhost * block * my-LAN-IP * block 127.0.0.1 127.0.0.1 * inherit localhost localhost * inherit my-LAN-IP my-LAN-IP * inherit

But maybe 127.0.0.1 and localhost rules are good enough for default? This would make silent attacks like above harder, but won't break services that are running on localhost and intentionally visited by user in the browser (on localhost:port and 127.0.0.1:port). Or there are legitimate cases when remote web page needs to request localhost?

Remu-rin avatar Feb 25 '18 00:02 Remu-rin

FYI: see https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.3-uMatrix .. namely IPv6 and 192.168

Thorin-Oakenpants avatar Feb 25 '18 01:02 Thorin-Oakenpants

@Thorin-Oakenpants Thanks, these short versions are very handy, didn't knew uM can accept rules like this. Blocking whole ranges is great. Also strict blocking is not working for those rules when there is * 1st-party * allow, so no need for inherit rules quoted above.

Remu-rin avatar Feb 25 '18 01:02 Remu-rin