New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add -NoProxy
parameter to Invoke-WebRequest
#3418
Comments
I believe there is not security implication here because any browser allow users to change Proxy settings. We could use Uri = Invoke-WebRequest -Proxy $null |
In my testing, "-Proxy $null" does not work. The request still goes to the system proxy. |
It was my suggestion to implement. |
A downside of using What about |
@TheFlyingCorpse We cannot change type (it is |
I see. a |
I have a patch right around the corner that fixes this. It introduces a |
@iSazonov if your workstation is under enterprise control typically you cannot change your proxy settings. Allowing so would subvert the security policy that is in place. |
@thezim however, if they have access to powershell, they could circumvent it today calling the .Net APIs directly. |
@SteveL-MSFT if one has the means (.NET API) to enter your home would you leave the front door unlocked (-NoProxy) to make it easier? |
Alternatively, if you want policy enforced, this should be done within corefx |
On Windows we can block changing of proxy setting in IE by means of GPO but users is free to change the setting in any other third party agent (Firefox, Chrome, Opera, wget and so on). |
Plus its possible to wipe it via reg.exe / regedit. |
The System Proxy settings in an enterprise environment are a management convenience. It's not a security setting. Security is better handled by blocking 80 and 443 at the firewall. |
@iSazonov GPO's exist for third party browsers as well. In my enterprise FF is locked down too. Stack on host based security system managed at the enterprise level and changing settings becomes very difficult. No installing unauthorized applications, running registry editors, etc. @TheFlyingCorpse registrys keys have ACLs on them to prevent this and is considered a best practice. @mcwidg3t I agree port blocking is be best solution but security is should be multi layered and should should never depend on a single layer. Hacker's count on admins thinking they are safe to great effectiveness. |
@thezim if you remove Powershell from the client desktop then you've removed a potential security hole, which also makes sense from a layered security approach. However, you also may be impacting productivity. It's a balancing act. In this case, I think that any increased risk in having a -NoProxy parameter is minimal given there are more appropriate ways at handling the security. I think it's a useful feature to have so for me, I'd implement it. |
@thezim I think enterprises can still lock this down by having a proxy function in PowerShell that doesn't expose |
First, this is implemented in #3447 This thread is all conjecture until someone investigates whether the proposed APIs we're using respect enterprise controls that limit proxy settings. From what I can see, we're basically just passing If Giving the PR my 👍 |
Someday CoreFX integrates Authorization Manager 😄 |
Good news @joeyaiello. Looking forward to that being released. |
This request came in from UserVoice, and I think it might make sense, but I'm also curious if there's a security implication here (i.e. if an admin sets a proxy globally, could a user override it with this parameter?)
Steps to reproduce
Set up a system-wide proxy and run:
Expected behavior
The request doesn't go through the system-wide proxy.
Actual behavior
The request does go through the system-wide proxy.
The text was updated successfully, but these errors were encountered: