mintbase-js icon indicating copy to clipboard operation
mintbase-js copied to clipboard

Published 20 hours ago verified publisher icon Mintbase

Return User Signature as a URL Fragment Instead of Query Parameter

Open zavodil opened this issue 5 months ago • 0 comments

When invoking the signMessage function in Bitte Wallet, the user's signature is currently being returned in the URL as a query parameter. For example:

http://callbackUrl?signature=<signature>

Returning sensitive information like a user's signature in the URL query parameters introduces security concerns:

  • Logging Risks: Query parameters are often logged by web servers, proxies, and even browsers, which could inadvertently expose sensitive information.
  • History Storage: URLs with query parameters can be stored in the browser's history, further increasing the risk of unintentional leakage.

Proposed Solution: To mitigate these risks, it would be more secure to return the signature as a URL fragment (hash). For example:

http://callbackUrl#signature=<signature>

zavodil avatar Sep 03 '24 14:09 zavodil