RequestPolicy / requestpolicy

RequestPolicy is a Firefox extension that gives you control over cross-site requests. --- Be sure to look at the dev-1.0 branch as that's where all of the interesting work is happening. See also: https://www.requestpolicy.com/1.0.html
https://www.requestpolicy.com/
107 stars 17 forks source link

block requests from public IP addresses to private IP addresses #114

Open jsamuel opened 12 years ago

jsamuel commented 12 years ago
imported trac ticket
created: 2010-06-19 09:51:04
reporter: justin

Some of the [http://ha.ckers.org/blog/20090117/request-policy-firefox-extention first feedback] RP received was that it doesn't offer protection in its default mode against CSRF to RFC 1918 addresses. For example, if one is using the strictness level of base domain, a site can embed an image that is served from a subdomain whose dns resolves to 192.168.1.1.

Solving this in RP directly is difficult without causing performance problems. This is because when RP gets to decide whether to cancel a request, it is at a time where it shouldn't be blocking on DNS resolution. More info in the existing bugzilla ticket for solving this in Firefox itself: https://bugzilla.mozilla.org/show_bug.cgi?id=354493

jsamuel commented 12 years ago
imported trac comment
created: 2011-02-20 14:44:24
author: eibwen

This ''may'' be a case for nsIContentPolicy.shouldProcess() in conjunction with #8 (for CIDR) and #6 (for blacklist). Noting that shouldProcess() is called AFTER starting to download the resource, it ''may'' be possible to get the IP address without a (then) redundant DNS query.

jsamuel commented 12 years ago
imported trac comment
created: 2011-02-20 16:31:41
author: justin

I won't be working on this ticket directly because bug 354493 is the correct solution and so is where I should be putting my time. There are good reasons why this should be solved in Firefox rather than an extension (as done by others before, e.g. !LocalRodeo). Some of those reasons are discussed in bugzilla bug 354493.

Once bug 354493 is resolved (in addition to any related bugs if a separate one is opened for giving extensions the ability to hook into restricting by IP address), this ticket we're commenting in will be closed and a separate ticket will opened to consider the correct IP address-related controls that users would want (until then, such a ticket is irrelevant). For now, this ticket exists to note that the problem is known and that the solution is being worked on outside of RP.

My work on bug 354493 comes in spurts lately based on my free time and also influenced by what's going on with electrolysis. I meant to make more progress on 354493 a few weeks ago, but m-c hadn't been merged into e10s recently and I didn't have time that could be spent on stale code. It could be a few months or it could be a few years until this is resolved, partly depending on how soon e10s moves forward and partly depending on whether there is renewed interest to move bug 354493 forward and deal with the potential usability issues noted in that bug. A lot of that comes down to how much time I have to put into it and investigating/trying solutions.

jsamuel commented 12 years ago
imported trac comment
created: 2011-02-20 20:57:06
author: eibwen

Regarding "bug 354493" in [ticket:114#comment:2] see [https://bugzilla.mozilla.org/show_bug.cgi?id=354493 Mozilla Bugzilla bug 354493].