- From: Matt Menke <notifications@github.com>
- Date: Tue, 09 Mar 2021 06:14:36 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 9 March 2021 14:14:48 UTC
> @MattMenke2: > > > Given that proxy autoconfig remains enabled by default on Windows, I think we'll likely need to continue using the same blacklist for proxies, in practice. > > I don't understand the risk here (because I know little to nothing about proxy configuration on Windows). Can a web-based attacker force a user to use a given proxy? That seems bad. If you're a man-in-the-middle attacker, you can respond to DNS lookups to wpad to get users to use your own PAC script. This feature that is only really targeted at enterprises is still enabled by default on all Windows machines, to the extent of my knowledge. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1189#issuecomment-793952649
Received on Tuesday, 9 March 2021 14:14:48 UTC