Hacker News new | past | comments | ask | show | jobs | submit login

Yeah but why shouldn't the browser do this itself to provide the cross-origin protection?



I think just because they're afraid of breaking things? I'm honestly not sure what the rationale was for not implementing this. They do DNS pinning which helps mitigate DNS rebinding attacks, but I don't think they do anything specifically to restrict access to internally routable IPs.

They do block certain ports that are known to be problematic (25, 6667, 5222, etc)


It's so stupid. Makes me want to just fork the browsers and add blatantly obvious protections like this if I can find the time...


If you do that, I would recommend looking at writing an extension first to see if there's any way to do it without a fork (maybe using the same technique that things like ublock origin have)

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...


Yeah you can almost certainly do it with an extension, but half the point of a fork would be to get the message across that they need to get their act together. (I almost certainly won't get around to it though, so this is just daydreaming.)




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: