pub-dev icon indicating copy to clipboard operation
pub-dev copied to clipboard
verified publisher icon dart-lang

Consider designing a redirector service for pub.dev

Open jonasfj opened this issue 6 years ago • 2 comments

To mask referrer header, we should consider making external links go through a redirect. This also hardens a few other XSS vectors.

See: https://en.wikipedia.org/w/index.php?title=URL_redirection&oldid=917753021#Referrer_masking

Note: It is critical that such a service only allows redirecting URLs embedded on pub.dev, and cannot be used for arbitrary URL redirection. Hence, URLs would need signing or something else.

jonasfj avatar Nov 01 '19 09:11 jonasfj

Note. it's not clear if we should do this. I just want to open the discussion.

See also: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md

jonasfj avatar Nov 01 '19 10:11 jonasfj

I'm not sure this is still relevant. @jonasfj should we just close?

sigurdm avatar Sep 26 '24 08:09 sigurdm