Page 1 of 1
LAN capability
Posted: Wed Feb 16, 2022 8:22 pm
by jbrown
Could you please explain the new LAN capability? What does "cross-zone WAN to LAN requests" exactly mean?
Re: LAN capability
Posted: Wed Feb 16, 2022 9:29 pm
by Giorgio Maone
In a nutshell, the LAN capability allows pages from the Internet (World Area Network / WAN) to link / send requests to hosts inside your Local Area Network (LAN), which is pretty much the current state of affairs and allows so called cross-zone CSRF/XSS attacks.
By keeping it disabled (as it is by factory setting in the DEFAULT and UNTRUSTED presets), you're replicating in an easier GUI way (no firewall-like rules involved)
this feature from "Classic" NoScript.
Re: LAN capability
Posted: Fri Feb 18, 2022 9:33 am
by Quest
Looks like if old custom settings allow Script then LAN is automatically allowed now?
Why. Or is it so?
Re: LAN capability
Posted: Fri Feb 18, 2022 10:11 am
by Giorgio Maone
Quest wrote: ↑Fri Feb 18, 2022 9:33 am
Looks like if old custom settings allow Script then LAN is automatically allowed now?
Why. Or is it so?
Correct. Not to disrupt stuff that's currently working and forcing people to make a CUSTOM rule.
It's not like LAN is giving sites a
new capability (without NoScript they can already send requests to the LAN): it's that the user now can turn this capability off, and by DEFAULT (on sites you don't trust) is already turned off.
If you prefer to have it off everywhere, you can do it as well by modifying the TRUSTED preset.
Re: LAN capability
Posted: Sun Feb 20, 2022 11:12 pm
by barbaz