- From: Mike West <notifications@github.com>
- Date: Tue, 09 Mar 2021 06:17:54 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 9 March 2021 14:18:06 UTC
> If you're a man-in-the-middle attacker, you can respond to DNS lookups to wpad to get users to use your own PAC script. This feature that is only really targeted at enterprises is still enabled by default on all Windows machines, to the extent of my knowledge. Interesting. That sounds bad, but somewhat distinct from the risks leading us to slowly add ports to the bad port list, right? It seems like it would be totally possible to prevent websites from `fetch()`ing a resource at port 3128, while at the same time allowing a proxy to be configured pointing at that same port. The contexts seem pretty distinct. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1189#issuecomment-793956646
Received on Tuesday, 9 March 2021 14:18:06 UTC