fix: enforce origin isolation on subdomain gws #60
Conversation
lidel
force-pushed
the
origin-isolation-enforcement
branch
from
700ddbd
to
1b09048
Compare
| const isSubdomainIsolationSupported = async (location: Pick<Location, 'protocol' | 'host' | 'pathname'>): Promise<boolean> => { | ||
| // TODO: do this test once and expose it as cookie / config flag somehow | ||
| const testUrl = `${location.protocol}//bafkqaaa.ipfs.${location.host}` | ||
| try { | ||
| const response: Response = await fetch(testUrl) | ||
| return response.status === 200 | ||
| } catch (_) { | ||
| return false | ||
| } | ||
| } |
There was a problem hiding this comment.
💭 this is not a big deal because it only happens once when on /ipfs/cid paths, is not executed when on subdomain host, but perhaps we could leverage config passing setup based on iframe introduced in #24
| // TODO: why we need this origin here? where is targetOrigin used? | ||
| const targetOrigin = decodeURIComponent(window.location.search.split('origin=')[1]) |
There was a problem hiding this comment.
@SgtPooki is this something we want to keep, or can it be removed?
iirc if we don't have query param, we would reuse cache, making subdomain page loads faster
There was a problem hiding this comment.
This is only for loading config in iframe. Iframe needs to know parent origin to postmessage.
Target origin (main window) is subdomain, iframe is root domain.
There was a problem hiding this comment.
So if we can do that another way, we could remove this
There was a problem hiding this comment.
Could we use #hash instead? It does not get sent to server, but JS in inframe should see it.
|
Merging this PR will force redirect to subdomains when available and liberal CORS headers are present. This includes Given how sensitive the lack of isolation is for websites atm, I'm thinking about merging this as-is, to secure Ok to proceed @SgtPooki @aschmahmann ? |
| return null | ||
| } | ||
|
|
||
| const isSubdomainIsolationSupported = async (location: Pick<Location, 'protocol' | 'host' | 'pathname'>): Promise<boolean> => { |
There was a problem hiding this comment.
its worth adding a comment here saying that for our SW usecase, we're only worried about checking for a 200 response and no TLS error.
| // IPNS Names are represented as Base36 CIDv1 with libp2p-key codec | ||
| // https://specs.ipfs.tech/ipns/ipns-record/#ipns-name | ||
| // eslint-disable-next-line no-case-declarations | ||
| const ipnsName = CID.parse(id).toV1() |
There was a problem hiding this comment.
why are we CID.parse ing a dnslink/peerid?
There was a problem hiding this comment.
Valid CIDv1 in base32 will be also a valid DNS name.
So we parse string as CID first, and ONLY assume DNS if CID parsing failed.
If we did it the other way, ISP or DNS operator could return spoofed DNS name that is also a valid CID, and do MITM on users who only use cryptographic identifies.
Co-authored-by: Russell Dempsey <1173416+SgtPooki@users.noreply.github.com>
|
redirect to /wiki for http://helia-sw-gateway.localhost/ipns/en.wikipedia-on-ipfs.org doesn't work, but other than that, this seems to work well |
Description
Towards #30: this PR detects when a path gateway URL is loaded on host that supports subdomain gateway URLs, and redirects to unique origin.
To test:
Caveats:
helia-sw-gateway.localhost, they seem to blocklocalhost, so usehelia-sw-gateway.localhostfor testingNotes & open questions
Change checklist