-
-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preventing access to client local network? #3711
Comments
This comment has been minimized.
This comment has been minimized.
Oh the client-side local network. Interesting. I think our newer client-side sandboxing, if enabled, would cover this case? |
Is somewhere more info about client-side sandboxing? |
Mind you, even if one blocked an iframe from automatically executing this, presumably one could have a plain link which opens in a new tab... then you'd just need to trick someone into clicking on it, which is not particularly hard. |
Qubes OS has per-VM firewall rules that could be used to limit access to local network, I think. I'm just thinking, are there some other ways too. |
For client browser limiting access to filesystem, there is Firejail https://firejail.wordpress.com that works with Firefox, like only allowing access to Downloads directory. It works at Linux. I did not yet got it working with Chromium based browsers. |
Actually, Firejail has also some possibilities to limit network access, I think. |
https://docs.sandstorm.io/en/latest/administering/config-file/ defines the config flag you can switch. With the new CSP, the only remote resources you can load are image files, IIRC, so I think that would stop one from loading an iframe containing an external page. Honestly I kinda think the old security policy might prevent it too, but I'm not positive. Again, I think tricking someone into clicking a link is an easy way around it anyways, and might be something that the browser indeed may want to defend against. (Also default passwords are going out of style... slowly, but many new network devices ship with unique default passwords per unit.) |
Any comments to this?
https://forums.meteor.com/t/security-preventing-access-to-local-network/61237
The text was updated successfully, but these errors were encountered: