Via HackerOne.
A researcher expressed a general concern about `security.allow-outbound-http`:
- it defaults on and is not prominently raised to new users;
- it's all-or-nothing -- no concept of public/private IP space;
- the description does not sufficiently explain the (moderate) risks of leaving it enabled (if your install is on a limited-access subnet).
- Notably, attackers can use the machine's ability to access the network, which may allow them to find services (and, in some rare cases, interact with services that have very, very weak authentication and act over HTTP GET).
These are reasonable concerns, and things we should improve as Phabricator's network-based tools mature (e.g., see T6706). Although I think this risk is currently very low (you need a user account and access to the machine, and gain very limited power on the subnet) it is something we should provide better tools for and raise to users more prominently. For a similar check, see T2380.
These settings aren't relevant for most installs, but they are for higher-value installs. Maybe after the "Quest Tracker" UI (T5317) we could have a "Security" chain which focuses on walking through options which lock down access. Or just, like, a document about this stuff.