nyxt
nyxt copied to clipboard
Protect lisp:// URLs? Allow any value in nyxt://?
See https://github.com/atlas-engineer/nyxt/pull/2306#discussion_r884151097 for a discussion. We may have to tweak our schemes a bit.
Wait, why protect lisp://
URLs? They are pretty protected already, only allowing requests from internal buffers/pages...
Because you said
lisp:// URLs are not protected by WebKit, and they are CORS-ready, which makes them extemely open to any request (and exploitation).
Because you said
lisp:// URLs are not protected by WebKit, and they are CORS-ready, which makes them extemely open to any request (and exploitation).
But I've said a sentence after:
That's why we check the buffer and URL of all the lisp:// requests in the scheme callback—to avoid exploitation. I don't see a better way here yet.
Which seems to be reliable enough to me :)
I'm not knowledgeable enough about this, let me study a little bit and come back to you.
Note that e81e9d02b7f3b220e76bb7940dac97307306a75f allows us to read anything safe, which is probably the best of what nyxt://
URLs can do.
lisp://
URLs are still the same -- checking buffer they are invoked from and thus presumably safe enough :)