• @X_Cli
    link
    10
    edit-2
    2 years ago

    Being a network security specialist, I’ll ask these basic questions:

    • what’s the universal definition of a private network?
    • does this measure make sense in IPv6 within the global scope?
    • is it the responsibility of the browser to secure against DNS rebinding?

    My answers to these questions are:

    • there is no universal definition, so this approach is doomed by design
    • no
    • heck, no; that’s the job of the webserver, by avoiding the so-called default virtual host. The Host/:authority header should always be verified, and this is sufficient to counter all forms of DNS rebinding.
  • @AgreeableLandscape
    link
    82 years ago

    There is pretty much no legitimate reason that a site from the internet should access the local network.

    The only exception I’ve seen to this is Synology having a NAS finder webapp where it searches your local network for a Synology device and tells you the IP address. But that’s a tiny niche use case and there are other ways of finding it that doesn’t involve a website (the device broadcasts its identity and has a hostname FFS). Any open source IP scanner will find it instantly, or in many networks you can just type in the hostname into your browser like a domain.

  • @pinknoise
    link
    52 years ago

    It’s about time, attackers can extract quite a bit of data about the local network via the browser. It’s pretty easy to identify appliances and home routers given someone stays on a site long enough.

  • @LLVMcompile
    link
    22 years ago

    I thought this was something that they already patched. Good on Google this time

  • @obbeelOP
    link
    12 years ago

    I would like to pose a question. Will I still be able to setup or visit FTP servers?

  • @seragold
    link
    12 years ago

    Hmm. Will this affect say a web3 wallet talking to hardware wallet?

  • @Yujiri
    link
    1
    edit-2
    1 year ago

    deleted by creator