This repository was archived by the owner on Feb 24, 2025. It is now read-only.
only allow error reloads on http(s) urls #1523
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diegoreymendez
approved these changes
Aug 22, 2023
Contributor
diegoreymendez
left a comment
diegoreymendez
left a comment
There was a problem hiding this comment.
Works well for me, thanks @brindy !
diegoreymendez
pushed a commit
that referenced
this pull request
Aug 23, 2023
Task/Issue URL: https://app.asana.com/0/1177771139624306/1205314901927898/f Tech Design URL: CC: **Description**: Fixes a bug which allows a UXSS attack by redirecting to a JavaScript URL. **Steps to test this PR**: 1. Visit https://websecurity.is/poc/uxss.html and click go. Should show error page. Click reload, Google will load. 2. Visit http://brindy.org.uk/redirect.php - should redirect to the error page. Click reload, error page should remain visible. 3. Smoke test general navigation / browsing. <!-- Tagging instructions If this PR isn't ready to be merged for whatever reason it should be marked with the `DO NOT MERGE` label (particularly if it's a draft) If it's pending Product Review/PFR, please add the `Pending Product Review` label. If at any point it isn't actively being worked on/ready for review/otherwise moving forward (besides the above PR/PFR exception) strongly consider closing it (or not opening it in the first place). If you decide not to close it, make sure it's labelled to make it clear the PRs state and comment with more information. --> --- ###### Internal references: [Pull Request Review Checklist](https://app.asana.com/0/1202500774821704/1203764234894239/f) [Software Engineering Expectations](https://app.asana.com/0/59792373528535/199064865822552) [Technical Design Template](https://app.asana.com/0/59792373528535/184709971311943) [Pull Request Documentation](https://app.asana.com/0/1202500774821704/1204012835277482/f)
samsymons
added a commit
that referenced
this pull request
Aug 23, 2023
# By Diego Rey Mendez (7) and others # Via Sam Symons (2) and others * develop: (26 commits) Improve Sync-related database cleaning logic (#1529) Update onboarding-related error states (#1504) Prevents launching our menu agent without an auth code. (#1516) Autofill UI letter icons (#1535) Cleans up some code (#1517) Revert "Autofill Letter Icons" (#1534) Adds remote pre-commit installer, which includes automatic fix for linter (#1369) Autofill Letter Icons (#1475) change context menu for mailto links (#1513) Updates the version to 1.53.1 Updated the embedded files for 1.53.1 Update the phased rollout tester to avoid caching the config (#1520) Require Duck Player scheme URL to be passed from YouTube Overlay User Script (#1519) Add pixels related to Duck Player usage (#1515) only allow error reloads on http(s) urls (#1523) Standardize TDS Loading Error handling (#1524) Move pixel sender logic into the main view controller (#1528) Update the phased rollout tester to avoid caching the config (#1520) Set version to 1.52.3. Move pixel sender logic into the main view controller (#1528) ... # Conflicts: # DuckDuckGo.xcodeproj/project.pbxproj # DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved # DuckDuckGo/AppDelegate/AppDelegate.swift # DuckDuckGo/Common/Localizables/UserText.swift # DuckDuckGo/Common/Utilities/UserDefaultsWrapper.swift
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Task/Issue URL: https://app.asana.com/0/1177771139624306/1205314901927898/f
Tech Design URL:
CC:
Description:
Fixes a bug which allows a UXSS attack by redirecting to a JavaScript URL.
Steps to test this PR:
Internal references:
Pull Request Review Checklist
Software Engineering Expectations
Technical Design Template
Pull Request Documentation