Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

WebTorrent: Torrent server should be restricted to same origin #10012

Closed
feross opened this issue Jul 17, 2017 · 2 comments
Closed

WebTorrent: Torrent server should be restricted to same origin #10012

feross opened this issue Jul 17, 2017 · 2 comments
Assignees
@feross
Labels
QA/checked-Linux QA/checked-macOS QA/checked-Win32 QA/checked-Win64 QA/test-plan-specified release-notes/include security
Milestone
0.17.19 (Release ...

Comments

@feross
Copy link
Contributor

feross commented Jul 17, 2017

  • Did you search for similar issues before submitting this one? Yes.

  • Describe the issue you encountered:

another origin could make an XHR or fetch request to the localhost torrent server URL, if they could guess the server address + port + url, which isn't very hard through enumeration.

  • Platform (Win7, 8, 10? macOS? Linux distro?): All

  • Brave Version (revision SHA): master

  • Steps to reproduce:

    1. Open inspector on a webtorrent media viewer page.
    2. Select the <video> node and copy the URL.
    3. Make a fetch or XHR request from another domain and see that it is allowed.

  • Can this issue be consistently reproduced? Yes.
@feross
Copy link
Contributor Author

feross commented Jul 17, 2017

PR: #10011

@diracdeltas diracdeltas added this to the 0.17.17 (Release Channel) milestone Jul 17, 2017
@diracdeltas
Copy link
Member

adding to next release since it is a high impact security issue

@bbondy bbondy closed this as completed in 00f42ac Jul 17, 2017
@feross feross mentioned this issue Jul 17, 2017
Merged
8 tasks
This was referenced Jul 18, 2017
Closed
Closed
Closed
Closed
@LaurenWags LaurenWags mentioned this issue Jul 19, 2017
Closed
102 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@feross feross

Labels
QA/checked-Linux QA/checked-macOS QA/checked-Win32 QA/checked-Win64 QA/test-plan-specified release-notes/include security
Projects
None yet
Milestone
0.17.19 (Release Channel)
Development

No branches or pull requests
6 participants
@feross @diracdeltas @alexwykoff @bsclifton @srirambv @LaurenWags