Preventing access to client local network?

[xet7]

Any comments to this?

https://forums.meteor.com/t/security-preventing-access-to-local-network/61237

[ocdtrekkie]

This is one of the things that was pointed out in Sandstorm's security review, and you'll notice Kenton added a tab in the admin panel which is populated with the internal network addresses to block.

[ocdtrekkie]

Oh the client-side local network. Interesting. I think our newer client-side sandboxing, if enabled, would cover this case?

[xet7]

Is somewhere more info about client-side sandboxing?

[ocdtrekkie]

Mind you, even if one blocked an iframe from automatically executing this, presumably one could have a plain link which opens in a new tab... then you'd just need to trick someone into clicking on it, which is not particularly hard.

[xet7]

Qubes OS has per-VM firewall rules that could be used to limit access to local network, I think. I'm just thinking, are there some other ways too.

[xet7]

For client browser limiting access to filesystem, there is Firejail https://firejail.wordpress.com that works with Firefox, like only allowing access to Downloads directory. It works at Linux. I did not yet got it working with Chromium based browsers.

[xet7]

Actually, Firejail has also some possibilities to limit network access, I think.

[ocdtrekkie]

https://docs.sandstorm.io/en/latest/administering/config-file/ defines the config flag you can switch. With the new CSP, the only remote resources you can load are image files, IIRC, so I think that would stop one from loading an iframe containing an external page.

Honestly I kinda think the old security policy might prevent it too, but I'm not positive.

Again, I think tricking someone into clicking a link is an easy way around it anyways, and might be something that the browser indeed may want to defend against. (Also default passwords are going out of style... slowly, but many new network devices ship with unique default passwords per unit.)