undefined | Better HN

0 pointsMatheus288y ago0 comments

Maybe if the address in the URL bar doesn't resolve to a local address, block access to local addresses.

Might break some enterprise stuff, but better safe than sorry, put an opt out of this behind a flag.

0 comments

But it does resolve to a local address. The point of rbndr is that it switches between resolving to a remote address and to a local address, which is an entirely legitimate thing - https://owa.example.com for most companies will do exactly this when you move between the corporate network and the public internet.

Matheus28OP8y ago

>But it does resolve to a local address.

Huh? The exploit allows remote website you visit ends up having access to stuff bound to localhost. If a localhost website has access to other localhost stuff, it isn't as much of a big deal.

>The point of rbndr is that it switches between resolving to a remote address and to a local address, which is an entirely legitimate thing - https://owa.example.com for most companies will do exactly this when you move between the corporate network and the public internet.

IMO it's worth blocking it, and only allowing that behind a flag or a custom whitelist that the user maintains. Enterprises can easily do that.

j / k navigate · click thread line to collapse