> In my opinion, web pages should not be allowed to make requests to LAN addresses unless the user has specifically and intentionally configured the browser to allow this.
Is there a way to know definitively if an address is "local" rather than "wide"? Should that be more granular, e.g. host, LAN, WAN? How does that work with bridged networking and such?
If I'm already browsing something on the LAN, it seems reasonable to be able to browse other sites on the LAN. But then that seems like an overly broad definition of LAN would allow privilege escalation.
If I saw a private IP (192.168, 10, etc) or a .local domain, I'd assume that was a LAN address, but that's a convention and depends very much on routing being set up properly.
> If I saw a private IP (192.168, 10, etc) or a .local domain, I'd assume that was a LAN address, but that's a convention and depends very much on routing being set up properly.
This convention on the address is actually backed by RFCs. eg. rfc 1918. There is similar for ipv6.
However, blocking traffic to private IPs without careful consideration seems like it could block some legitimate use. So one does have to tread carefully when special-casing those.
Is there a way to know definitively if an address is "local" rather than "wide"? Should that be more granular, e.g. host, LAN, WAN? How does that work with bridged networking and such?
If I'm already browsing something on the LAN, it seems reasonable to be able to browse other sites on the LAN. But then that seems like an overly broad definition of LAN would allow privilege escalation.
If I saw a private IP (192.168, 10, etc) or a .local domain, I'd assume that was a LAN address, but that's a convention and depends very much on routing being set up properly.