In my trusted site present, I disabled the 'LAN' option because I thought this would prevent sites from connecting to any local devices on my LAN. However, it also seems to prevent me from clicking a link that happens to navigate to a LAN based domain. I would have expected unchecking the LAN option would disable any XHR, image load, or form POST from being allowed to a LAN domain to prevent DNS rebinding attacks, but I would have still expected to be able to click a link because that's a browser page navigation.
Example:
Say I work in a corporate environment which uses split-horizon DNS. For example, on the internet github.com resolves to a non-private IP, but internally github.com resolves to a 10.0.0.0/8 address. I mightdisable LAN access in NoScript for sites by default to protect against any drive-by attacks using DNS rebinding, but if I were to search for GitHub on a search engine, I would not be able to click the link unless I were to permit LAN for the search engine.
To me this seems like a bug, but maybe I'm misunderstanding the purpose of the LAN checkbox. I want the LAN toggle to prevent XHR requests, image loads, CSS loads, form POSTs, frame loads, etc. from being sent to LAN origin, but I want to be able to click a link that happens to go to a LAN domain without explicitly granting LAN access to every search engine or domain that happens to link to github.com. Clicking a link is more intentional and explicit vs a frame/XHR requests from a potentially malicious website that uses a frame to trigger a request to a LAN domain.
In my trusted site present, I disabled the 'LAN' option because I thought this would prevent sites from connecting to any local devices on my LAN. However, it also seems to prevent me from clicking a link that happens to navigate to a LAN based domain. I would have expected unchecking the LAN option would disable any XHR, image load, or form POST from being allowed to a LAN domain to prevent DNS rebinding attacks, but I would have still expected to be able to click a link because that's a browser page navigation.
Example: Say I work in a corporate environment which uses split-horizon DNS. For example, on the internet
github.comresolves to a non-private IP, but internallygithub.comresolves to a 10.0.0.0/8 address. I mightdisable LAN access in NoScript for sites by default to protect against any drive-by attacks using DNS rebinding, but if I were to search forGitHubon a search engine, I would not be able to click the link unless I were to permit LAN for the search engine.To me this seems like a bug, but maybe I'm misunderstanding the purpose of the LAN checkbox. I want the LAN toggle to prevent XHR requests, image loads, CSS loads, form POSTs, frame loads, etc. from being sent to LAN origin, but I want to be able to click a link that happens to go to a LAN domain without explicitly granting LAN access to every search engine or domain that happens to link to
github.com. Clicking a link is more intentional and explicit vs a frame/XHR requests from a potentially malicious website that uses a frame to trigger a request to a LAN domain.