|
|
|
|
|
|
by mintplant
1100 days ago
|
|
|
That actually reads like Ryan to me, I don't think his account has been compromised. From the commit set (e.g., [0]), it looks like he was expanding EasyList's blocking of sites that use 127.0.0.1 DNS records to carry out DNS rebinding attacks and fingerprinting, and overlooked this legitimate use case for such records. Legitimate, that is, as long as all of the domain owners are trusted, because this does open up opportunities for conten served from those domains to punch through the same-origin policy and read back data served from 127.0.0.1. This can be a security hole, e.g., I've seen browser extensions in-the-wild which jury-rig IPC to an external helper process by opening up an HTTP API on a local port. [0] https://github.com/easylist/easylist/commit/f11ee956a6e585d8... |
|
|