react-native-ssl-public-key-pinning icon indicating copy to clipboard operation
react-native-ssl-public-key-pinning copied to clipboard

Published 20 hours ago verified publisher icon frw

Error on HTTP request to domain without

Open trippingtarballs opened this issue 1 year ago • 3 comments

Borrowed from a recently closed issue 😅 ty

I would like for the following to error:

  const onInitializePinning = async () => {
    try {
      await initializeSslPinning({
        'google.com': {
          includeSubdomains: true,
          publicKeyHashes: [
            'CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk=',
            'hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=',
            'Vfd95BwDeSQo+NUYxVEEIlvkOlWY2SalKK1lPhzOx78=',
            'QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=',
            'mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=',
          ],
        },
      });
    } catch (e) {
      console.log('ERROR -> ', e);
      setInitializeResult(`❌ ${e}`);
    }
  };

  const onFetch = async () => {
    try {
      const response = await fetch(`https://www.facebook.com`);
      console.log(`${response.ok ? '✅' : '❌'} Status: ${response.status}`);
    } catch (e) {
      console.log(`❌ ${e}`);
    }
  };

I appreciate the previous answer given:

"facebook.com is not listed in your pinning configuration, so the network connection passes since we don't do further checks on connections to facebook.com" -- comment

However, might it be possible to extend react-native-ssl-public-key-pinning such that a request to a domain that does not match an entry in the PinningOptions raises an error (or even a warning)?

I want a way to identify when a developer adds a fetch() request to a domain and forgets to also add the publicKeyHashes for that domain.

trippingtarballs avatar Nov 09 '23 14:11 trippingtarballs