this post was submitted on 31 Jan 2025
27 points (100.0% liked)

Firefox

4400 readers
79 users here now

A community for discussion about Mozilla Firefox.

founded 2 years ago
MODERATORS
[email protected]
27
Firefox Blocks 0.0.0.0 IP Addresses: Tell Us What This Means To You! (connect.mozilla.org)
submitted 1 week ago by [email protected] to c/[email protected]
6 comments fedilink hide all child comments
top 6 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 1 week ago* (last edited 1 week ago)

It sounds like, from other articles, Chrome at least is blocking access to the local machine from non-local pages, which seems very much desirable.

Blocking access to the local machine across-the-board would be problematic, since one might want to browse stuff served by a local webserver.

I'd also add that I've been around network security for some time, have gone through a bunch of the RFCs and know some odd IPv4 addressing quirks -- I can tell you that 0177.0x1 will reach localhost -- but didn't know that a packet addressed to 0.0.0.0 would go to localhost. From another article, it sounds like other addresses that reach localhost had been blocked a long time ago.

[–] [email protected] 5 points 1 week ago

Oligo Researchers have found that public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1. 

Remediation In Progress: Browsers Will Soon Block 0.0.0.0

Following responsible disclosure, HTTP requests to 0.0.0.0 are now being added to security standards using a Request for Comment (RFC), and some browsers will soon block access to 0.0.0.0 completely. 0.0.0.0 will not be allowed as a target IP anymore in the Fetch specification, which defines how browsers should behave when doing HTTP requests.

[–] [email protected] -1 points 1 week ago (2 children)

Um, OK? I dunno why you'd wanna block access to that IP.

[–] Darkassassin07 12 points 1 week ago* (last edited 1 week ago) (1 children)
[–] [email protected] 1 points 1 week ago

Oh man, I thought, it was some silly celebration day for the 0.0.0.0 address, so I didn't even click on the link at first.

[–] [email protected] 6 points 1 week ago

If a remote page can cause your browser to do fetches on your local machine, it can potentially poke at a lot of important stuff that has Web UIs running on the local machine.