davtur19
commented
3 years ago To avoid problems I added the domains to the default blacklist. This will likely be a temporary solution... It is a solution that I don't like, because that way I would have to do it for a lot of other sites.
How did you find that it was causing problems? I thought that the users who used the extension were smart enough to understand that the extension can cause this kind of problem and solve the problem by themselves by changing IP, as the extension does not check the same domain twice.
I was thinking that maybe a custom user agent for the extension could make life easier for some sysadmin; by doing so, the custom user agent could end up on a user agent blacklist, and the extension would find no vulnerabilities where they actually exist.
On the one hand I understand your point of view, of wanting to block bots and those looking for vulnerabilities, but on the other hand it seems excessive to me to block for a simple request to /.git/HEAD
Did you have so many requests like that? the extension is not used by many users...
Now I'm pushing the update on the stores, for chrome it might take a while...
I also don't like the fact that I'm indirectly advertising 1password by putting it in the sources and it shows by opening the settings
Users of this extension are being negatively impacted when accessing
*.1password.com(as well as*.1password.caand*.1password.eu) as 1Password implements an active defense system that automatically blocks the IP address of clients that appear to be bots or are probing for common security issues. The requests that this extension performs triggers that system. This can be tested by attempting to accessmy.1password.comwith the extension enabled.This means that any user of this extension that tries to access their 1Password account will be immediately blocked at the IP level - this could be avoided by adding the above domains to the default blocklist.
In the interest of users, I would suggest making this addition to avoid putting them through that hassle.