Ports that are blocked by browsers (2023)

https://www.keenformatics.com/ports-that-are-blocked-by-browsers

48•keepamovin•9mo ago

Comments

Dwedit•8mo ago

If you really really need to connect to a server running on a "forbidden port", you can use client-side network forwarding, such as SSH tunnels or Netcat.

M95D•8mo ago

Or you can set "network.security.ports.banned.override" with a list of ports you want unblocked.

snvzz•8mo ago

A glaring omission is listing ports for any browser other than firefox.

Do they do the same? Are they the same ports?

rolph•8mo ago

ports have standardized default usages, this means new or poorly configured installs are prone to abuse, so its generally good to limit these ports in some way.

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbe...

banana_giraffe•8mo ago

Different ports, here's the list for Chromium:

https://github.com/chromium/chromium/blob/76892135714e5b4f16...

joecool1029•8mo ago

I'm surprised IRC wasn't on the list after the IRC flooding incident years ago: https://news.softpedia.com/news/Firefox-Bug-Used-to-Harass-a...

I guess the concern is targeting local services not remote ones.

banana_giraffe•8mo ago

Interestingly, they are there:

https://github.com/mozilla/gecko-dev/blob/771bc161e016e2bd1f...

(Confirmed on a recent-ish Firefox browser)

They look to have been there for at least 5 years, dunno when they were added before that.

wayvey•8mo ago

Wow, been a full stack webdev for over a decade and somehow I don't remember ever encountering this. Nice post!

keepamovin•8mo ago

Yes lol me too!

Here’s how I recently found out about it: So I was doing a customer demo, and everything was going great — I was in the middle of showing them how to set up BrowserBox, and I said, “You know, BrowserBox can run on any port, so let’s just pick one. Maybe…” and I just randomly picked one — 9000?

I input that, hit run, and opened the login link in the browser, and nothing happened.

And I was like, what? So I said, “I’m sure it’s nothing, let’s check the logs.”

I checked the logs, and I see this “bad port” error. And I’m like, bad port? What the…?

I went down a rabbit hole trying to figure out what was going on — all in the middle of a customer demo.

Anyway, I put a pin in it, changed the port, and moved on with the demo.

But basically, what happened is: the port for the actual headless Chrome service is always 3000 less than the application port. So in this case, that meant the headless Chrome had been listening on port 6000.

Chrome was fine with that. But when I tried to connect to that with Node.js — specifically using undici, the native Node fetch — it refused to connect to port 6000.

And somehow, this is the first time after, like you, being a web dev for more than ten years and working on this project for five, that I’d ever encountered that. I can’t believe I never picked port 9000 before in my life!

Anyway, I actually find it kind of ridiculous that a server-side library would restrict what I can connect to.

So I created a very well-tested shim of fetch — API identical — but based on the http2 and http libraries in Node.

It turned out to be this surprisingly impactful thing that I’d never, ever heard about before.

And honestly? I think it’s really stupid that the Node.js fetch library has this browser-based restriction.

ranger_danger•8mo ago

I remember it explicitly, but I have been in webdev since the 90s, and using alternate ports was more common back then. One of the original vulns for this was reported in 2001.

https://www.kb.cert.org/vuls/id/476267

FSD helped save my father's life during a heart attack

Show HN: Writtte – Draft and publish articles without reformatting, anywhere

Portuguese icon (FROM A CAN) makes a simple meal (Canned Fish Files) [video]

Brookhaven Lab's RHIC Concludes 25-Year Run with Final Collisions

Transcribe your aunts post cards with Gemini 3 Pro

.72% Variance Lance

ReKindle – web-based operating system designed specifically for E-ink devices

Encrypt It

NextMatch – 5-minute video speed dating to reduce ghosting

Personalizing esketamine treatment in TRD and TRBD

SpaceKit.xyz – a browser‑native VM for decentralized compute

NotebookLM: The AI that only learns from you

Show HN: An open-source starter kit for developing with Postgres and ClickHouse

Game Boy Advance d-pad capacitor measurements

South Korean crypto firm accidentally sends $44B in bitcoins to users

Apache Poison Fountain

Web.whatsapp.com appears to be having issues syncing and sending messages

Google in Your Terminal

Shannon: Claude Code for Pen Testing: #1 on Github today

Anthropic: Latest Claude model finds more than 500 vulnerabilities

Brooklyn cemetery plans human composting option, stirring interest and debate

Why the 'Strivers' Are Right

Brain Dumps as a Literary Form

Agentic Coding and the Problem of Oracles

Malicious packages for dYdX cryptocurrency exchange empties user wallets

Show HN: I built a <400ms latency voice agent that runs on a 4gb vram GTX 1650"

Penisgate erupts at Olympics; scandal exposes risks of bulking your bulge

Arcan Explained: A browser for different webs

What did we learn from the AI Village in 2025?

An open replacement for the IBM 3174 Establishment Controller