Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUHH #2255

Closed
wants to merge 1 commit into from
Closed

BUHH #2255

wants to merge 1 commit into from

Conversation

ghost
Copy link

@ghost ghost commented Oct 28, 2019
edited by ghost
Loading

😠

To the idiot in Budapest
99c3bf0 
Remelem igy mar odafigyelsz
@HelloZeroNet
Copy link
Owner

Please open a new issue with the details if you found any security problem.

@ghost
Copy link

ghost commented Oct 28, 2019
edited by ghost
Loading

I'm gonna take a wild guess and say that he's talking about line 281 in his pr @HelloZeroNet

@ghost
Copy link

ghost commented Oct 28, 2019

Screenshot from 2019-10-28 11-43-09

@HelloZeroNet
Copy link
Owner

The no-referrer header does not fixes the linked issue.
To avoid tabnabbing we would need to add noopener rel to the links, but as far as I know there is no way to do it by http headers.

@ghost
Copy link

ghost commented Oct 28, 2019
edited by ghost
Loading

@HelloZeroNet https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#tabnabbing
Screenshot from 2019-10-28 11-56-58

Also, we have the wrapperOpenWindow zeroframe cmd that we need to do this for.

@HelloZeroNet
Copy link
Owner

The wrapperOpenWindow already work like this:
https://github.com/HelloZeroNet/ZeroNet/blob/py3/src/Ui/media/Wrapper.coffee#L235

@ghost
Copy link

ghost commented Oct 28, 2019

Ok, I didn't know that. Good!

@ghost ghost changed the title To the idiot in Budapest BUHH Oct 28, 2019
@ghost ghost deleted the patch-1 branch October 28, 2019 21:13
@ghost ghost restored the patch-1 branch October 28, 2019 21:13
@ghost
Copy link
Author

ghost commented Oct 28, 2019

The wrapperOpenWindow already work like this:
https://github.com/HelloZeroNet/ZeroNet/blob/py3/src/Ui/media/Wrapper.coffee#L235

Sending the header is better!

@ghost ghost mentioned this pull request Mar 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@HelloZeroNet