Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: webxdc: CSP bypass #4011

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: webxdc: CSP bypass #4011

wants to merge 1 commit into from
+34 −15

Conversation

WofWca
Copy link
Collaborator

@WofWca WofWca commented Jul 5, 2024

This doesn't appear to fix an exploitable vulnerability because host-rules is already set to disable network access, so "XDC-01-002 WP1" from the Cure53 audit has not been brought back ever since the initial fix.

Initially fixed in a9e5242
Reintroduced in fd1f8ce

Related refactor commit 2cd310e

Also bring back and improve the PDF comment about "XDC-01-005 WP1"

@WofWca WofWca added bug Something isn't working webxdc labels Jul 5, 2024
@WofWca WofWca requested a review from Simon-Laux July 5, 2024 14:57
@WofWca
fix: webxdc: CSP bypass
5417b58 
This doesn't appear to fix an exploitable vulnerability
because `host-rules` is already set to disable network access,
so "XDC-01-002 WP1" from the Cure53 audit has not been brought back
ever since the initial fix.

Initially fixed in a9e5242
Reintroduced in fd1f8ce

Related refactor commit 2cd310e

Also bring back and improve the PDF comment about "XDC-01-005 WP1"
@WofWca WofWca force-pushed the wofwca/fix-webxdc-csp-bypass branch from e8988e7 to 5417b58 Compare July 5, 2024 14:58
@nicodh
Copy link
Contributor

nicodh commented Jul 9, 2024

Concerning the comment:
"This doesn't appear to fix an exploitable vulnerability because host-rules is already set to disable network access,"

We should be aware that there is an ongoing discussion wether or not we should restrict internet to predefined URLs by host rules. It blocks some useful scenarios.

So we should not rely on host rules concerning XDC-01-002 WP1

@Simon-Laux
Copy link
Member

Simon-Laux commented Jul 9, 2024
edited
Loading

I disagree with removing host rules restriction, it does not protect us from this issue but also from others and even from unknown ones.
If it's about the map, just make it possible to set http headers in the core http request function and then we can use it for the map like we use it in the html email viewer.

@nicodh
Copy link
Contributor

nicodh commented Jul 9, 2024

I just wanted to mention that there is a discussion. No reason to discuss it here.

@nicodh
Copy link
Contributor

nicodh commented Jul 9, 2024

At least it means that this fix is useful anyway :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Simon-Laux Simon-Laux Simon-Laux approved these changes

Assignees
No one assigned
Labels
bug Something isn't working webxdc
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@WofWca @nicodh @Simon-Laux