-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: enforce origin isolation on subdomain gws #60
Conversation
700ddbd
to
1b09048
Compare
const isSubdomainIsolationSupported = async (location: Pick<Location, 'protocol' | 'host' | 'pathname'>): Promise<boolean> => { | ||
// TODO: do this test once and expose it as cookie / config flag somehow | ||
const testUrl = `${location.protocol}//bafkqaaa.ipfs.${location.host}` | ||
try { | ||
const response: Response = await fetch(testUrl) | ||
return response.status === 200 | ||
} catch (_) { | ||
return false | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💭 this is not a big deal because it only happens once when on /ipfs/cid paths, is not executed when on subdomain host, but perhaps we could leverage config passing setup based on iframe introduced in #24
// TODO: why we need this origin here? where is targetOrigin used? | ||
const targetOrigin = decodeURIComponent(window.location.search.split('origin=')[1]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@SgtPooki is this something we want to keep, or can it be removed?
iirc if we don't have query param, we would reuse cache, making subdomain page loads faster
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only for loading config in iframe. Iframe needs to know parent origin to postmessage.
Target origin (main window) is subdomain, iframe is root domain.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So if we can do that another way, we could remove this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we use #hash
instead? It does not get sent to server, but JS in inframe should see it.
Merging this PR will force redirect to subdomains when available and liberal CORS headers are present. This includes Given how sensitive the lack of isolation is for websites atm, I'm thinking about merging this as-is, to secure Ok to proceed @SgtPooki @aschmahmann ? |
return null | ||
} | ||
|
||
const isSubdomainIsolationSupported = async (location: Pick<Location, 'protocol' | 'host' | 'pathname'>): Promise<boolean> => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
its worth adding a comment here saying that for our SW usecase, we're only worried about checking for a 200 response and no TLS error.
// IPNS Names are represented as Base36 CIDv1 with libp2p-key codec | ||
// https://specs.ipfs.tech/ipns/ipns-record/#ipns-name | ||
// eslint-disable-next-line no-case-declarations | ||
const ipnsName = CID.parse(id).toV1() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are we CID.parse
ing a dnslink/peerid?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Valid CIDv1 in base32 will be also a valid DNS name.
So we parse string as CID first, and ONLY assume DNS if CID parsing failed.
If we did it the other way, ISP or DNS operator could return spoofed DNS name that is also a valid CID, and do MITM on users who only use cryptographic identifies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a few comments / nits, but overall fine with getting this in
Co-authored-by: Russell Dempsey <[email protected]>
redirect to /wiki for http://helia-sw-gateway.localhost/ipns/en.wikipedia-on-ipfs.org doesn't work, but other than that, this seems to work well |
Description
Towards #30: this PR detects when a path gateway URL is loaded on host that supports subdomain gateway URLs, and redirects to unique origin.
To test:
Caveats:
helia-sw-gateway.localhost
, they seem to blocklocalhost
, so usehelia-sw-gateway.localhost
for testingNotes & open questions
Change checklist