rawgithack
rawgithack copied to clipboard
neoascetic
cross site spoofing with localStorage between 2 repos
If a Github Pages repo, is accessed through githack, in many cases a website will render and operate as intended locating all resources through githack instead of Github/Fastly, the user must visually ignore the address bar, but localStorage, ummm, origin will be "rawcdn.githack.com" and localStorage contents can easily be fetched later with a malicious github pages repo to the sensitive github pages repo running on wrong origin. Not sure if there is a real bug since github pages shouldn't have a concept of "logging in", but some GH pages sites do "login" with localStorage. Feel free to close if there is no quick fix.
I've used githack as a quick and dirty different "origin" for a GH Pages site when a CORS API WAF got tired of my no API key anonymous usage and punishes my Origin: header by omitting "Access-Control-Allow-Credentials: true" in response for some minutes to my Origin: header and I burned through the official domain and "http://localhost" already. file:// doesn't work as that makes a browser send "Origin: null" for XHR CORS.
You shouldn't use githack cdn as a website. You should only use it to serve assets. Examples are js, css, img files, not html files
why not?
I guess you can, but you need to be careful. Let's say there are site A and site B. Site A uses localStorage to store some info. Site B is malicious. Site B can easily get Site A's localStorage and bypass all cross-site related protections because they serve under the same domain
A remedy for this would be to instead, use github.io's system and serve a user under a subdomain instead, but that's likely not going to happen.
You might be able to implement this by using subdomains instead of paths for user, service: bulk88.github.githackcdn/repo/commitish/path/file (or even put the repo in a subdomain as well). Then submit your cdn to the public suffix list and you should be good.
Edit: cloudflare now allows free users to use wildcards
