Fix "Origin" isolation check #135
Assignees
Labels
effort/hours
Estimated to take one or several hours
exp/intermediate
Prior experience is likely helpful
good first issue
Good issue for new contributors
help wanted
Seeking public contribution on this issue
kind/bug
A bug in existing code (including security flaws)
P1
High: Likely tackled by core team if no one steps up
status/ready
Ready to be worked
Comments
lidel
added
kind/bug
|
Just check the response URL: let hash = `bafybeifx7yeb55armcsxwwitkymga5xf53dxiarykms3ygqic223w5sk3m`
let now = Date.now()
let testUrl = `https://ipfs.1-2.dev/ipfs/${hash}?now=${now}#x-ipfs-companion-no-redirect`
fetch(testUrl).then(res => {
if (response.url.startsWith(`https://${hash}`)) console.log(`Supports origin isolation`)
else console.log(`Does not support origin isolation`)
}); |
|
@whizzzkid to investigate if this is solved with his recent changes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It seems that gateways get β for Origin isolation and π EVEN when path gateway does not redirect to a subdomain.
This broken setup is not possible with go-ipfs, but someone could do this type of menace with a custom Nginx config, defeating the origin isolation provided by subdomains.
Figuring out if
/ipfs/{cid}returns HTTP 200 or 301 will be tricky because JSfetchfollows redirects.Workarounds to investigate (did not check, just an idea):
load HTML+JS into a hidden iframe, and readwindow.location.originfrom iframe via postMessage and fail if origin is nothttps://{cid}.ipfs.{gateway}The text was updated successfully, but these errors were encountered: