Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

Create "firewall"-like shield to protect against DNS rebinding attacks #12671

Closed
evq opened this issue Jan 16, 2018 · 0 comments · Fixed by #13119
Closed

Create "firewall"-like shield to protect against DNS rebinding attacks #12671

evq opened this issue Jan 16, 2018 · 0 comments · Fixed by #13119
Assignees
@diracdeltas
Labels
security suggestion
Milestone
0.24.x-legacy

Comments

@evq
Copy link
Member

evq commented Jan 16, 2018

Description

NoScript has a component called the Application Boundaries Enforcer which in it's default configuration protects against DNS rebinding attacks that target intranet resources. We should consider adding something similar.

https://en.wikipedia.org/wiki/Noscript#Application_Boundaries_Enforcer_.28ABE.29
@diracdeltas diracdeltas self-assigned this Jan 16, 2018
@diracdeltas diracdeltas mentioned this issue Jan 22, 2018
Closed
diracdeltas added a commit to brave/muon that referenced this issue Jan 23, 2018
@diracdeltas
Expose remote IP and port in webRequest details
ac866b5 
Needed for session.webRequest.onHeadersReceived in order to implement brave/browser-laptop#12671
@diracdeltas diracdeltas mentioned this issue Jan 23, 2018
Merged
diracdeltas added a commit that referenced this issue Feb 13, 2018
@diracdeltas
add off-by-default application firewall feature
727870b 
fix #12671

test plan:
1. download an image and name it to rabbits.jpg
2. in the rabbits.jpg directory, start a localhost server: 'python -m SimpleHTTPServer 8000'
3. go to https://jsfiddle.net/c6y5qx5m/. you should see either 2 or
   3 copies of rabbits.jpg loaded.
4. go to about:preferences#security and enable 'Application Firewall'
5. go to https://jsfiddle.net/c6y5qx5m/ in a new private or session tab
   (to avoid loading cached files). now none of the rabbits.jpg images
   should load.
@diracdeltas diracdeltas added this to the 0.22.x (Developer Channel) milestone Feb 13, 2018
@diracdeltas diracdeltas mentioned this issue Feb 13, 2018
Merged
10 tasks
@bbondy bbondy modified the milestones: 0.22.x (Developer Channel), 0.23.x (Nightly Channel) Feb 25, 2018
@alexwykoff alexwykoff modified the milestones: 0.23.x (Nightly Channel), Completed work Mar 13, 2018
@alexwykoff alexwykoff modified the milestones: Completed work, 0.24.x (Nightly Channel) Apr 10, 2018
diracdeltas added a commit that referenced this issue Apr 10, 2018
@diracdeltas
add off-by-default application firewall feature
a468f01 
fix #12671

test plan:
1. download an image and name it to rabbits.jpg
2. in the rabbits.jpg directory, start a localhost server: 'python -m SimpleHTTPServer 8000'
3. go to https://jsfiddle.net/c6y5qx5m/. you should see either 2 or
   3 copies of rabbits.jpg loaded.
4. go to about:preferences#security and enable 'Application Firewall'
5. go to https://jsfiddle.net/c6y5qx5m/ in a new private or session tab
   (to avoid loading cached files). now none of the rabbits.jpg images
   should load.
@diracdeltas diracdeltas mentioned this issue May 2, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@diracdeltas diracdeltas

Labels
security suggestion
Projects
None yet
Milestone
0.24.x-legacy
Development

Successfully merging a pull request may close this issue.

add off-by-default application firewall feature brave/browser-laptop
4 participants
@diracdeltas @bbondy @alexwykoff @evq