Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Preventing access to client local network? #3711

Open
xet7 opened this issue Feb 18, 2024 · 8 comments
Open

Preventing access to client local network? #3711

xet7 opened this issue Feb 18, 2024 · 8 comments
Labels
question security Security issues or improvements

Comments

@xet7
Copy link
Contributor

xet7 commented Feb 18, 2024

Any comments to this?

https://forums.meteor.com/t/security-preventing-access-to-local-network/61237

@ocdtrekkie

This comment has been minimized.

@ocdtrekkie
Copy link
Collaborator

Oh the client-side local network. Interesting. I think our newer client-side sandboxing, if enabled, would cover this case?

@xet7
Copy link
Contributor Author

xet7 commented Feb 18, 2024

Is somewhere more info about client-side sandboxing?

@ocdtrekkie
Copy link
Collaborator

Mind you, even if one blocked an iframe from automatically executing this, presumably one could have a plain link which opens in a new tab... then you'd just need to trick someone into clicking on it, which is not particularly hard.

@xet7
Copy link
Contributor Author

xet7 commented Feb 18, 2024

Qubes OS has per-VM firewall rules that could be used to limit access to local network, I think. I'm just thinking, are there some other ways too.

@xet7
Copy link
Contributor Author

xet7 commented Feb 18, 2024

For client browser limiting access to filesystem, there is Firejail https://firejail.wordpress.com that works with Firefox, like only allowing access to Downloads directory. It works at Linux. I did not yet got it working with Chromium based browsers.

@xet7
Copy link
Contributor Author

xet7 commented Feb 18, 2024

Actually, Firejail has also some possibilities to limit network access, I think.

@ocdtrekkie
Copy link
Collaborator

https://docs.sandstorm.io/en/latest/administering/config-file/ defines the config flag you can switch. With the new CSP, the only remote resources you can load are image files, IIRC, so I think that would stop one from loading an iframe containing an external page.

Honestly I kinda think the old security policy might prevent it too, but I'm not positive.

Again, I think tricking someone into clicking a link is an easy way around it anyways, and might be something that the browser indeed may want to defend against. (Also default passwords are going out of style... slowly, but many new network devices ship with unique default passwords per unit.)

@ocdtrekkie ocdtrekkie added question security Security issues or improvements labels Feb 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question security Security issues or improvements
Projects
None yet
Development

No branches or pull requests

2 participants