Consider adding blocking rules "from web to localhost" to default to improve security

[Remu-rin]

Example case: https://lock.cmpxchg8b.com/utorrent-crash-test.html (background: https://bugs.chromium.org/p/project-zero/issues/detail?id=1524) Page uses img src attribute to make requests to localhost and this goes through uMatrix default settings (* * image allow). Tested on Firefox and Chrome. Now I added to my rules:

* 127.0.0.1 * block * localhost * block * my-LAN-IP * block 127.0.0.1 127.0.0.1 * inherit localhost localhost * inherit my-LAN-IP my-LAN-IP * inherit

But maybe 127.0.0.1 and localhost rules are good enough for default? This would make silent attacks like above harder, but won't break services that are running on localhost and intentionally visited by user in the browser (on localhost:port and 127.0.0.1:port). Or there are legitimate cases when remote web page needs to request localhost?

[Thorin-Oakenpants]

FYI: see https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.3-uMatrix .. namely IPv6 and 192.168

[Remu-rin]

@Thorin-Oakenpants Thanks, these short versions are very handy, didn't knew uM can accept rules like this. Blocking whole ranges is great. Also strict blocking is not working for those rules when there is * 1st-party * allow, so no need for inherit rules quoted above.