Re: [whatwg/fetch] Consider shifting the "bad port list" to an allowlist. (#1189) from Mike West on 2021-03-09 (public-webapps-github@w3.org from March 2021)

From: Mike West <notifications@github.com>
Date: Tue, 09 Mar 2021 06:26:34 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1189/793967145@github.com>

> Once a PAC script is injected, it can make requests for http://some_host:80/ to http://local.domain:<forbidden_port> by setting that as a proxy for those requests. This would bypass both the port blacklist and any additional webby security features around connections to local IPs.

Malicious proxies are, indeed, bad. I agree that we need to deal with them in some way. All I'm saying here is that I'm not sure we need to deal with them via the bad port list.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1189#issuecomment-793967145

Received on Tuesday, 9 March 2021 14:26:46 UTC