Example case: https://lock.cmpxchg8b.com/utorrent-crash-test.html (background: https://bugs.chromium.org/p/project-zero/issues/detail?id=1524)
Page uses img src attribute to make requests to localhost and this goes through uMatrix default settings (* * image allow). Tested on Firefox and Chrome. Now I added to my rules:
* 127.0.0.1 * block
* localhost * block
* my-LAN-IP * block
127.0.0.1 127.0.0.1 * inherit
localhost localhost * inherit
my-LAN-IP my-LAN-IP * inherit
But maybe 127.0.0.1 and localhost rules are good enough for default? This would make silent attacks like above harder, but won't break services that are running on localhost and intentionally visited by user in the browser (on localhost:port and 127.0.0.1:port). Or there are legitimate cases when remote web page needs to request localhost?
<!--
Read first: https://github.com/gorhill/uMatrix/blob/master/CONTRIBUTING.md
No feature requests please. Issue tracker is for PROVEN issues with uMatrix
itself. Do not open an issue because your ruleset is interfering negatively
with a web site or with the browser's proper functioning. Use the logger to
diagnose issues with your ruleset.
uMatrix is for advanced users. Do not use the issue tracker to ask for
support if you have issues using uMatrix.
For question/support/discussions, there is Reddit's /r/uMatrix:
https://www.reddit.com/r/uMatrix/
For documentation:
https://github.com/gorhill/uMatrix/wiki
If you fail to provide basic key information, I will close the issue as
invalid with no comment. Use common sense to understand what is basic key
information. Examples: browser/version, uMatrix version, relevant browser
settings, relevant uMatrix settings, etc.
If you report an issue which I can't reproduce immediately, the issue will be
closed as unreproducable.
Given this, it's important to provide clear and detailed steps-to-reproduce.
Please investigate fully and completely before opening an issue, you must make
a strong and convincing case that the issue lies with uMatrix.
("works when I turn off uMatrix" is NOT making the case).
-->
Example case: https://lock.cmpxchg8b.com/utorrent-crash-test.html (background: https://bugs.chromium.org/p/project-zero/issues/detail?id=1524)
Page uses img src attribute to make requests to localhost and this goes through uMatrix default settings (`* * image allow`). Tested on Firefox and Chrome. Now I added to my rules:
> ` * 127.0.0.1 * block`
` * localhost * block`
`* my-LAN-IP * block`
`127.0.0.1 127.0.0.1 * inherit`
`localhost localhost * inherit`
`my-LAN-IP my-LAN-IP * inherit`
But maybe 127.0.0.1 and localhost rules are good enough for default? This would make silent attacks like above harder, but won't break services that are running on localhost and intentionally visited by user in the browser (on localhost:port and 127.0.0.1:port). Or there are legitimate cases when remote web page needs to request localhost?