Wiki

User Tools

Site Tools

Trace: instruct_the_web_browser_to_forward_all_requests_addressed_to_localhost_into_a_blackhole
networking:proxy:pac_file:instruct_the_web_browser_to_forward_all_requests_addressed_to_localhost_into_a_blackhole

Table of Contents

Networking - Proxy - PAC File - Instruct the web browser to forward all requests addressed to localhost into a blackhole

Create a PAC file

pac_localhost_discard.js
// SPDX-License-Identifier: CC0-1.0
 
const allowed_ports = [
  // uncomment and list any exceptions:
  // 80, 3000, ...
];
 
// CIDR 0/8 and 127/8
const local_cidrs =
  /^(?:127(?:\.(?:\d{1,})){1,3}|0+(?:\.0+){0,3})$/;
 
// other notations for 0/8 and 127/8
const localhosts = [
  'localhost',
  '::',
  '::1',
  '0x00.0',
  '0177.1',
  '0x7f.1'
];
 
 
function FindProxyForURL(url, host)
{
  // Check if localhost.
  if (localhosts.includes(host) ||
      host.match(local_cidrs)) {
 
    // Make exceptions for allowed ports.
    let port = url.match(/^\w+:\/\/[^/]+?:(\d+)\//);
    if (port) {
      port = parseInt(port[1]);
 
      if (allowed_ports.includes(port)) {
        return 'DIRECT';
      }
    }
 
    // Reject by proxying to local discard.
    return 'PROXY 127.0.0.1:99';
  }
 
  // All other requests are allowed.
  return 'DIRECT';
}

NOTE: All connections addressed at localhost are proxied to a non-existing proxy server on port 99.

WARNING: Do not apply this PAC file to your entire operating system.

This will cause havoc and break many programs and functionality in unique and interesting ways.

Only use it in a web browser you do not want to have access to any services listening on the localhost. You can use a secondary web browser if you need access to services running on the localhost.

Implement

  • Drag that file into Firefox.
  • Write down the contents of the address field. (file://…).
  • Type about:config into the address field and press Enter.
  • Search for network.proxy..
  • Locate and apply the following changes to the configuration:
    • Set network.proxy.allow_hijacking_localhost to true.
    • Set network.proxy.autoconfig_url to the address you noted above.
  • Set network.proxy.type to 2.

NOTE: Any new connections will be filtered through the PAC file.

Firefox does not need to be restarted.

Further improvements

This PAC file still leaves one avenue of attack open, however.

DNS domain names can be resolved to point at a localhost address.

To protect against this type of address the destination domain name needs to be resolved.

  • Applying this protection will introduce a significant performance penalty of 10–500 milliseconds per URL (even to the same host) that is loaded in your web browser.
  • Firefox’s PAC parser doesn’t use Firefox’s DNS cache so the slow-down even applies to URLs under the same host.
  • An average webpage loads 75 URLs, according to the April 2020 numbers from the HTTP Archive.

If this is considered an acceptable performance penalty for the additional protection given, then modify the above host checking to include the following conditional:

pac_localhost_discard.js
if (localhosts.includes(host) ||
      host.match(local_cidrs)) ||
   isInNet(host, '127.0.0.1', '255.0.0.0') {
...

NOTE: The default security protections for any addresses other than ::1 and 127.0.0.1 will still be done too.

networking/proxy/pac_file/instruct_the_web_browser_to_forward_all_requests_addressed_to_localhost_into_a_blackhole.txt · Last modified: 2021/01/13 16:51 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki