nyxt icon indicating copy to clipboard operation
nyxt copied to clipboard

Published 20 hours ago verified publisher icon atlas-engineer

Protect lisp:// URLs? Allow any value in nyxt://?

Open Ambrevar opened this issue 2 years ago • 5 comments

See https://github.com/atlas-engineer/nyxt/pull/2306#discussion_r884151097 for a discussion. We may have to tweak our schemes a bit.

Ambrevar avatar Jun 14 '22 09:06 Ambrevar

Wait, why protect lisp:// URLs? They are pretty protected already, only allowing requests from internal buffers/pages...

aartaka avatar Jun 14 '22 17:06 aartaka

Because you said

lisp:// URLs are not protected by WebKit, and they are CORS-ready, which makes them extemely open to any request (and exploitation).

Ambrevar avatar Jun 14 '22 18:06 Ambrevar

Because you said

lisp:// URLs are not protected by WebKit, and they are CORS-ready, which makes them extemely open to any request (and exploitation).

But I've said a sentence after:

That's why we check the buffer and URL of all the lisp:// requests in the scheme callback—to avoid exploitation. I don't see a better way here yet.

Which seems to be reliable enough to me :)

aartaka avatar Jun 14 '22 18:06 aartaka

I'm not knowledgeable enough about this, let me study a little bit and come back to you.

Ambrevar avatar Jun 15 '22 16:06 Ambrevar

Note that e81e9d02b7f3b220e76bb7940dac97307306a75f allows us to read anything safe, which is probably the best of what nyxt:// URLs can do.

lisp:// URLs are still the same -- checking buffer they are invoked from and thus presumably safe enough :)

aartaka avatar Aug 29 '22 12:08 aartaka