|
|
|
|
|
|
by gzer0
1100 days ago
|
|
|
Has this user’s GitHub account potentially been compromised? The reasoning they give makes no sense; their style of writing also doesn’t match previous commits that they’ve made. Maybe looking too deep into this, but this commit makes absolutely 0 sense and should be reverted. |
|
|
From the commit set (e.g., [0]), it looks like he was expanding EasyList's blocking of sites that use 127.0.0.1 DNS records to carry out DNS rebinding attacks and fingerprinting, and overlooked this legitimate use case for such records.
Legitimate, that is, as long as all of the domain owners are trusted, because this does open up opportunities for conten served from those domains to punch through the same-origin policy and read back data served from 127.0.0.1. This can be a security hole, e.g., I've seen browser extensions in-the-wild which jury-rig IPC to an external helper process by opening up an HTTP API on a local port.
[0] https://github.com/easylist/easylist/commit/f11ee956a6e585d8...